Compare Values from Stats Function

whunterj · ‎05-30-2019

I have a search that returns two different values for avg_duration. These values are an average of all the the values that fall under that state of either NEW or OLD. What I need to do now is access the avg_duration's separately in order to determing whether the avg_duration for the NEW or OLD is bigger. The search is:

| sort targetId timestamp
| stats first(timestamp) as start, last(timestamp) as end, first(task) as task0, last(task) as task1, first(status) as status0, last(status) as status1 by targetId
| eval curr_time=now()
| eval start_time=if(status0="Started" AND task0="Build CI" AND status1="Completed", strptime(start, "%m/%d/%Y %l:%M:%S %p"), 0) 
| eval start_time=ifnull(start_time, strptime(start, "%Y-%m-%dT%H:%M:%SZ")) 
| eval start_time=ifnull(start_time, strptime(start, "%Y-%m-%dT%H:%M:%S.%QZ")) 
| eval end_time = if(status0="Started" AND task0="Build CI" AND status1="Completed", strptime(end, "%m/%d/%Y %l:%M:%S %p"), 0) 
| eval end_time=ifnull(end_time, strptime(end, "%Y-%m-%dT%H:%M:%SZ")) 
| eval end_time=ifnull(end_time, strptime(end, "%Y-%m-%dT%H:%M:%S.%QZ")) 
| eval start_time=round(start_time, 2) 
| eval end_time=round(end_time, 2)
| eval duration=if(status0="Started" AND task0="Build CI" AND status1="Completed", end_time-start_time, "No Duration")
| where duration!="No Duration"
| eval state=if(start_time+1296000>=curr_time, "NEW", "OLD") 
| stats avg(duration) as avg_duration by state

The search and output are shown in the attached picture.

niyaz006 · ‎05-30-2019

"| sort 1 -avg_duration" should give you whichever is the biggest

Compare Values from Stats Function

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!