Hi,
Please help.
Step1 : Calculate combined average of an event (event name : mytest here) from source file a,b,c.
Step 2 : calculate average of mytest event from each soucve file a,b,c individually.
Step 3 : compare if there is 50% change when comparing individual average with combined average.
It sounds like you want to use something like eventstats for what you're trying to accomplish. Eventstats gives you a way of "zooming out" and giving you metrics from the wider set of events to use for comparison to values in individual events.
Try something like this:
<base search>
| stats avg(fieldName) as source_average by eventName, source
| eventstats avg(source_average) as combined_average by eventName
| eval pct_diff=abs(100*(combined_average-source_average/combined_average))
| where pct_diff > 50
It sounds like you want to use something like eventstats for what you're trying to accomplish. Eventstats gives you a way of "zooming out" and giving you metrics from the wider set of events to use for comparison to values in individual events.
Try something like this:
<base search>
| stats avg(fieldName) as source_average by eventName, source
| eventstats avg(source_average) as combined_average by eventName
| eval pct_diff=abs(100*(combined_average-source_average/combined_average))
| where pct_diff > 50
@erikahanlon,
Thanks.
This gave me clue for implementing this.