Skip to main content

rollingstd Search Operator

The rollingstd operator finds the rolling standard deviation of a field, allowing you to identify changes over time.

For example, you'd use rollingstd in a query to identify spikes in activity for a Collector, or for a URL in your site. You can use a rollingstd to find compute the average number from the past, to identify changes (larger or smaller) over time.

Two or more data points are needed to get accurate results from a rollingstd operator. If you attempt to find the rollingstd of a single data point the results will automatically be zero.

If you specify a window length of 5, but only 4 data points are available, the rollingstd operator takes the average of whatever is available.

Syntax​

rollingstd <field> [, window_length] [as <field>]

Rules​

  • An alias for rollingstd is optional. When an alias is not provided, _rollingstd is the default alias.
  • Specified fields must contain numeric values.
  • To add a query that includes a rollingstd operator to a Dashboard, you must add a group by function before the rollingstd operator.
  • The default window length is 10.
  • The maximum window length is 1000.

Examples​

Use rollingstd to see the difference of fields between time points, grouped by source host

Running a query such as:

_sourceCategory=katta
| timeslice by 1m
| count by _timeslice,_sourceHost
| sort + _timeslice
| rollingstd _count,1 by _sourceHost

produces results like:

rollingstd

Find the rolling standard deviation of a field between time points​

Using rollingstd with timeslice, you can run a query similar to:

* | parse "bytes: '*'" as bytes
| timeslice 1m
| sum(bytes) as bytes by _timeslice
| sort _timeslice
| rollingstd bytes, 5

that produces results like:

example 1

The aggregation table can be made into an area chart, like this:

example 2

Specify a window length of 5, but only 4 data points are available​

Before 5 values are available, the rollingstd operator takes an average of whatever is available. For example:

_sourceCategory=katta
| timeslice by 1m
| count by _timeslice,_sourceHost
| where _sourceHost="prod-katta-237"
| sort + _timeslice
| rollingstd _count,5

which produces results like:

data points

rollingstd is also used with the backshift operator.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.