Search fragment

Description

index=main    sourcetype=access_combined   

You should now be familiar with this search from the earlier recipes. It is used to return events from the website access log.

| eventstats mean(bytes) AS    mean_bytes, stdev(bytes) AS    stdev_bytes   

The eventstats command is used to calculate the mean value and standard deviation of bytes over a given time period. The resulting values are added as new fields to each event.

| eval    Z_score=round(((bytes-   mean_bytes)/stdev_bytes),2)   

Using the eval command, we calculate a new field called Z-score for each event and round it to two decimal places. The Z-score associated with each event will enable ...