Alerting and variance

I’m looking for an explanation how the variance function is working, when used in alert definition.

Let’s say I want to be notified if there is a significant variance in the 24h for malicious sites.

How does graylog calculates the variance in that case? How many/Which intervals are used for the calculation? Unfortunately, it isn’t well documented…

Many thanks again!



The data that is fed into the aggregation is defined by the Search within the last period.
So you probably want to set this to 24 hours in your case.
You can execute the event definition every minute or so.
This will create a sliding window (

Besides, I think you might want to use stddev() instead of variance() because it’s easier to define a condition for that.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.