https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57107#M751 <P>Hello. I need to calculate statistics like Avg, Count, from the past two weeks period.</P> <P>What I want to do next is to check if the same measure in the days AFTER those two weeks are above it or not. </P> <P>I Can't figure out if it is a join, append or something else to write... Here is what I've got:</P> <P><CODE><BR /> index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15<BR /> | eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo <BR /> | eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo) <BR /> | eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo)<BR /> | eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo) <BR /> | eval Performance=case(executiontime&gt;lim3,"High_Alert",executiontime&gt;lim2,"Mid_Alert",executiontime&gt;lim1,"Low_Alert",executiontime&lt;lim1,"OK") <BR /> | eval Low=if(executiontime&gt;lim1 AND executiontime&lt;lim2,1,0) <BR /> | eval Mid=if(executiontime&gt;lim2 AND executiontime&lt;lim3,1,0) <BR /> | eval High=if(executiontime&gt;lim3,1,0) <BR /> | eval OutQ=if(executiontime&gt;lim1,1,0) <BR /> | stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh<BR /> </CODE><BR /> Now I want to get those Avg and see where executiontime in the period</P> <P>index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=9/6/2013:00:00:00 latest=now date_wday=friday date_hour=15</P> <P>is going. Can you help please?</P> <P>Thank you</P> Mon, 28 Sep 2020 14:43:47 GMT TiagoMatos 2020-09-28T14:43:47Z https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57107#M751 <P>Hello. I need to calculate statistics like Avg, Count, from the past two weeks period.</P> <P>What I want to do next is to check if the same measure in the days AFTER those two weeks are above it or not. </P> <P>I Can't figure out if it is a join, append or something else to write... Here is what I've got:</P> <P><CODE><BR /> index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15<BR /> | eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo <BR /> | eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo) <BR /> | eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo)<BR /> | eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo) <BR /> | eval Performance=case(executiontime&gt;lim3,"High_Alert",executiontime&gt;lim2,"Mid_Alert",executiontime&gt;lim1,"Low_Alert",executiontime&lt;lim1,"OK") <BR /> | eval Low=if(executiontime&gt;lim1 AND executiontime&lt;lim2,1,0) <BR /> | eval Mid=if(executiontime&gt;lim2 AND executiontime&lt;lim3,1,0) <BR /> | eval High=if(executiontime&gt;lim3,1,0) <BR /> | eval OutQ=if(executiontime&gt;lim1,1,0) <BR /> | stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh<BR /> </CODE><BR /> Now I want to get those Avg and see where executiontime in the period</P> <P>index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=9/6/2013:00:00:00 latest=now date_wday=friday date_hour=15</P> <P>is going. Can you help please?</P> <P>Thank you</P> Mon, 28 Sep 2020 14:43:47 GMT https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57107#M751 TiagoMatos 2020-09-28T14:43:47Z https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57108#M752 <P>Format code blocks by blank lines before and after + 4 spaces at the start of each line, please.</P> Fri, 06 Sep 2013 18:00:25 GMT https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57108#M752 Ayn 2013-09-06T18:00:25Z https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57109#M753 <PRE><CODE>index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15 | eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo | eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo) | eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo) | eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo) | eval Performance=case(executiontime&gt;lim3,"High_Alert",executiontime&gt;lim2,"Mid_Alert",executiontime&gt;lim1,"Low_Alert",executiontime&lt;lim1,"OK") | eval Low=if(executiontime&gt;lim1 AND executiontime&lt;lim2,1,0) | eval Mid=if(executiontime&gt;lim2 AND executiontime&lt;lim3,1,0) | eval High=if(executiontime&gt;lim3,1,0) | eval OutQ=if(executiontime&gt;lim1,1,0) | stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh </CODE></PRE> Fri, 06 Sep 2013 21:39:54 GMT https://community.splunk.com/t5/Splunk-Dev/Different-Ranges-queries/m-p/57109#M753 TiagoMatos 2013-09-06T21:39:54Z