Calculates the standard deviation for a field over a set of events. The result is returned in a field named _stddev
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale SyntaxstdDev("value")and:
logscale SyntaxstdDev(field="value")These examples show basic structure only.
stdDev() Syntax Examples
Find the standard deviation of bytes send in http responses
stdDevBytes := stdDev(field=bytes_sent)stdDev() Examples
Click next to an example below to get the full details.
Calculate Standard Deviation of Bytes Sent
Calculate standard deviation of Bytes sent using the
stdDev() function
Query
stdDevBytes := stdDev(field=bytes_sent)Introduction
In this example, the stdDev() is used to calculate
how much the number of bytes sent varies from the mean value.
Example incoming data might look like this:
| @timestamp | endpoint | bytes_sent | status_code |
|---|---|---|---|
| 1686837825000 | /api/users | 1450 | 200 |
| 1686837826000 | /api/products | 8920 | 200 |
| 1686837827000 | /api/orders | 1670 | 200 |
| 1686837828000 | /api/payment | 12900 | 500 |
| 1686837829000 | /api/users | 1560 | 200 |
| 1686837830000 | /api/items | 780 | 200 |
| 1686837831000 | /api/orders | 9340 | 200 |
| 1686837832000 | /api/checkout | 9230 | 200 |
| 1686837833000 | /api/products | 1340 | 200 |
| 1686837834000 | /api/users | 4450 | 200 |
Step-by-Step
Starting with the source repository events.
- logscale
stdDevBytes := stdDev(field=bytes_sent)Calculates the standard deviation of values in the bytes_sent field and assigns the result to a new field named stdDevBytes.
The
stdDev()function measures how widely the values are dispersed from their average value. Event Result set.
Summary and Results
The query is used to understand the variability in the size of data being transferred.
This query is useful, for example, to identify unusual patterns in data transfer sizes, establish normal ranges for network traffic, or detect anomalies in data transmission.
Sample output from the incoming example data:
| stdDevBytes |
|---|
| 4289.32 |
Note that the result is a single value representing the standard deviation. A higher value indicates greater variation in the data.
The unit of measurement is the same as the input field (bytes in this case).