I’m looking for an explanation how the variance function is working, when used in alert definition.

Let’s say I want to be notified if there is a significant variance in the 24h for malicious sites.

How does graylog calculates the variance in that case? How many/Which intervals are used for the calculation? Unfortunately, it isn’t well documented…

Many thanks again!

Regards

Oliver