Thank you for your prompt reply.
So the idea is that I get the average of the various requests from last week and then divide it by the total number of requests in order to create a new column called daily average . As it is just a mockup it isn't entirely realistic but it will be useful. I only put a small subset of the overall search query above. Below is the full query we have.
sourcetype="log_test" earliest=-1mon@mon latest=@mon
| rename requestno AS "Request Number"
| join "Request Number" [inputlookup Request_Lookup.csv]
| stats count by "Request Number" "Request Name"
| eventstats sum(count) as total
| eval percent=round(count/total*100,2)
| eval "Daily Average"=round(count/3)
| join "Request Number" [inputlookup Request_ThresholdLookup.csv]
| eval "Warning Threshold" = if('Warning Threshold'=0, round('Daily Average' * 1.10), 'Warning Threshold')
| eval "%Warning" = round(count/'Warning Threshold'*100)
| eval "Error Threshold" = round('Daily Average' * 1.5)
| eval "%Error" = round(count/'Error Threshold'*100)
| eval "RAG Status" = case ('%Warning'>=100 AND '%Error'>= 100, "Error", '%Warning'>=100, "Warning", '%Error' >=100, "Error", 1=1, "Normal")
| table "Request Number" "Request Name", count, percent, "Daily Average", "Warning Threshold", "%Warning", "Error Threshold", "%Error", "RAG Status"
| sort by - count
| rename count AS "Number of Requests"
So as you can see currently Daily Average is count/3. This was just put there in order to ensure I can get something in the fields. I wanted to put the average of previous week into that which is why I had the
eval lastweek=relative_time(latest, "-1w@w1") query
Hopefully this will make more sense now.
Thanks.
... View more