Splunk Search

How do I present run time values for the past 30 days, but only display those that are greater than the average?

fisuser1
Contributor

Hello - we are looking to present daily run time values of events in a search, but only display the daily run time values that are greater than the calculated 30 day run time average.

I've tried the eventstats with a where command, but doesn't seem like where plays nice with the values command. I tried using first instead of values, but that seems to skew the daily results. any suggestions? perhaps a sub search?

our_search

| eventstats values(duration_minutes) as run_time by firm_name 
| eventstats avg(duration_minutes) as avg_time by firm_name 
| where run_time>avg_time
| timechart span=1d values(run_time) by firm_name
0 Karma
1 Solution

fisuser1
Contributor

think I may have gotten it

mysearch

| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f

View solution in original post

fisuser1
Contributor

think I may have gotten it

mysearch

| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @fisuser1 - Did your solution above work? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks and happy posting!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...