standard deviation

Finds the standard deviation value for a distribution of numerical values within the time range analyzed and associated with a group designated by the "group by" field.


  • stddev(numerical_field)


  • Creates field named _stddev


You can use the query below to view the standard deviation of time delay, along with the average of time delay, max delay, and the min delay for a Source. You can use this query to troubleshoot large message time and receipt time discrepancies.

| abs(_receipttime - _messagetime) as delt
| delt/1000/60 as delt
| min(delt), max(delt), avg(delt), stddev(delt), count(*) by _collector, _sourcename