If I need to calculate the standard deviation (STD_DEV) for each row (using a number column from the row), how do I do that?
I currently have the snippet below:
FROM logs-*
| WHERE event.code == "4768" AND field1 == "value" AND NOT field2 LIKE "*$"
| STATS uniq_user = COUNT_DISTINCT(field2) BY field3
| EVAL comp_avg = AVG(uniq_user), comp_std = STD_DEV(uniq_user)
uniq_user has the values that I want use to calculate both AVG and STD_DEV for each row.
Using EVAL to calculate comp_avg = AVG(uniq_user), comp_std = STD_DEV(uniq_user) returns:
aggregate function [AVG(uniq_user)] not allowed outside STATS command
aggregate function [STD_DEV(uniq_user)] not allowed outside STATS command
When I use STATS instead, I no longer have access to the previous rows, which contained uniq_user values.
Is there a way to calculate the AVG and STD_DEV and still have access to the previous rows containing uniq_user?
Thanks.