I've created a chart that only shows run times above a 60 day average and it's corresponding average, which works perfectly. However, now my users are looking to narrow these to occurrences that are 15% and higher than said average, evidently it's too difficult to look at the numbers I am already presenting. Any suggestions based on my existing search I have working?
index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| where duration_minutes > avg_time
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ search index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| stats avg(duration_minutes) as Average by firm_name]
@fisuser1,
If you just want to calculate the percentage, try this
index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
|"other searche terms"
@fisuser1,
If you just want to calculate the percentage, try this
index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
|"other searche terms"
this worked, thank you. @renjith.nair, please copy your suggestion into the answers section, I will so you get credit.
Here's the final result.
index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| stats first(avg_time) as Average by Firm]
| rename "2. Monday" as Monday
| rename "3. Tuesday" as Tuesday
| rename "4. Wednesday" as Wednesday
| rename "5. Thursday" as Thursday
| rename "6. Friday" as Friday
| fields - firm_name
| fillnull value="."
@fisuser1, glad to know 🙂