text code block:`aws_bedrock_claude` | spath output="out_tokens" path="output.outputBodyJson.usage.output_tokens" | eval user = replace('identity.arn', ".*/", "") | stats count AS invocations, avg(out_tokens) AS avg_out, max(out_tokens) AS max_out, stdev(out_tokens) AS stdev_out BY user, identity.arn | eval stdev_out = coalesce(stdev_out, 0) | eval threshold = avg_out + (2 * stdev_out) | where max_out > threshold | table user, identity.arn, invocations, avg_out, max_out, stdev_out, threshold | sort -max_out | `aws_bedrock_claude_excessive_use_of_tokens_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).