Hello - we are looking to present daily run time values of events in a search, but only display the daily run time values that are greater than the calculated 30 day run time average.
I've tried the eventstats
with a where
command, but doesn't seem like where plays nice with the values command. I tried using first instead of values, but that seems to skew the daily results. any suggestions? perhaps a sub search?
our_search
| eventstats values(duration_minutes) as run_time by firm_name
| eventstats avg(duration_minutes) as avg_time by firm_name
| where run_time>avg_time
| timechart span=1d values(run_time) by firm_name
think I may have gotten it
mysearch
| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f
think I may have gotten it
mysearch
| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f
Hi @fisuser1 - Did your solution above work? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks and happy posting!