Skip to main content
Sumo Logic

rollingstd

The rollingstd (rolling standard) operator provides the rolling standard deviation of a field over a defined window. Rollingstd displays this value in a new column named _rollingstd.

The rollingstd operator finds the rolling standard deviation of a field, allowing you to identify changes over time. For example, you could use rollingstd in a query to identify spikes in activity for a Collector, or for a URL in your site. You can use a rollingstd to find compute the average number from the past, to identify changes (larger or smaller) over time.

Two or more data points are needed to get accurate results from a rollingstd operator. If you attempt to find the rollingstd of a single data point the results will automatically be zero.

If you specify a window length of 5, but only 4 data points are available, the rollingstd operator takes the average of whatever is available.

Syntax:

  • .. rollingstd field [, window_length]

Rules:

  • An alias for rollingstd is optional. When an alias is not provided, _rollingstd is the default alias.
  • Specified fields must contain numeric values.
  • To add a query that includes a rollingstd operator to a Dashboard, you must add a group by function before the rollingstd operator.
  • The default window length is 10.
  • The maximum window length is 1000.

Examples

Use rollingstd to see the difference of fields between time points, grouped by source host.

Running a query such as:

_sourcecategory=katta 
| timeslice by 1m 
| count by _timeslice,_sourcehost 
| sort + _timeslice 
| rollingstd _count,1 by _sourcehost

produces results like:

Find the rolling standard deviation of a field between time points.

Using rollingstd with timeslice, you can run a query similar to:

* | parse "bytes: '*'" as bytes 
| timeslice 1m 
| sum(bytes) as bytes by _timeslice 
| sort _timeslice 
| rollingstd bytes, 5

that produces results like:

The aggregation table can be made into an area chart, like this:

Specify a window length of 5, but only 4 data points are available.

Before 5 values are available, the rollingstd operator takes an average of whatever is available. For example:

_sourcecategory=katta 
| timeslice by 1m 
| count by _timeslice,_sourcehost 
| where _sourcehost="prod-katta-237" 
| sort + _timeslice 
| rollingstd _count,5

which produces results like:

Rollingstd is also used with the Backshift operator.