Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the chart only valuing 15% above calculated average response?

fisuser1
Contributor
‎08-25-2018 05:29 AM

I've created a chart that only shows run times above a 60 day average and it's corresponding average, which works perfectly. However, now my users are looking to narrow these to occurrences that are 15% and higher than said average, evidently it's too difficult to look at the numbers I am already presenting. Any suggestions based on my existing search I have working?

index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| strcat firm_name " - Firm Number:  " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| where duration_minutes > avg_time 
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown"))))))) 
| chart values(duration_minutes) as run_time by Firm date_wday_new 
| appendcols 
    [ search index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
    | stats avg(duration_minutes) as Average by firm_name]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-25-2018 07:53 PM

@fisuser1,
If you just want to calculate the percentage, try this 

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15 
|"other searche terms"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-25-2018 07:53 PM

@fisuser1,
If you just want to calculate the percentage, try this 

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15 
|"other searche terms"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

fisuser1
Contributor
‎08-26-2018 06:10 AM

this worked, thank you. @renjith.nair, please copy your suggestion into the answers section, I will so you get credit.

Here's the final result.

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| stats first(avg_time) as Average by Firm]
| rename "2. Monday" as Monday
| rename "3. Tuesday" as Tuesday
| rename "4. Wednesday" as Wednesday
| rename "5. Thursday" as Thursday
| rename "6. Friday" as Friday
| fields - firm_name
| fillnull value="."

Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-26-2018 06:45 AM

@fisuser1, glad to know 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...