https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85855#M21919 <P>Give this a shot: </P> <PRE><CODE>&lt;your search here&gt; | eventstats count as globalCount avg(TotalResponse) as globalAvg | where TotalResponse &gt; globalAvg | stats count as greaterThanAverageCount last(globalAvg) as globalAvg last(globalCount) as globalCount | eval percent = 100 * greaterThanAverageCount / globalCount | table globalAvg percent </CODE></PRE> <P>The Eventstats command allows you to do anything you can do in stats, but paint the aggregate statistical results about the whole set back onto each of the original incoming rows. Basically whenever you have a problem that feels like you need to make "two passes" through the data, you should look at eventstats, or its streaming cousin, streamstats. </P> Mon, 07 Oct 2013 20:05:48 GMT sideview 2013-10-07T20:05:48Z https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85854#M21918 <P>Hi All,</P> <P>I have a field "TotalResponse" which is the total response time for a web request. I'm attempting to determine the following:<BR /> 1. What the average "TotalResponse" is over a 15 minute span<BR /> 2. Return any result where "TotalResponse" is greater than the average<BR /> 3. Total % of responses that were greater than the average</P> <P>I'm having a bit of a tough time figuring out part 2, hopefully someone can help?</P> <P>Cheers<BR /> K</P> Mon, 07 Oct 2013 20:00:50 GMT https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85854#M21918 kultar 2013-10-07T20:00:50Z https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85855#M21919 <P>Give this a shot: </P> <PRE><CODE>&lt;your search here&gt; | eventstats count as globalCount avg(TotalResponse) as globalAvg | where TotalResponse &gt; globalAvg | stats count as greaterThanAverageCount last(globalAvg) as globalAvg last(globalCount) as globalCount | eval percent = 100 * greaterThanAverageCount / globalCount | table globalAvg percent </CODE></PRE> <P>The Eventstats command allows you to do anything you can do in stats, but paint the aggregate statistical results about the whole set back onto each of the original incoming rows. Basically whenever you have a problem that feels like you need to make "two passes" through the data, you should look at eventstats, or its streaming cousin, streamstats. </P> Mon, 07 Oct 2013 20:05:48 GMT https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85855#M21919 sideview 2013-10-07T20:05:48Z https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85856#M21920 <P>I'm just not quick enough, thanks sideview</P> Mon, 07 Oct 2013 20:07:17 GMT https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85856#M21920 sdaniels 2013-10-07T20:07:17Z https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85857#M21921 <P>Nature abhors any search language question left unanswered for more than 5 minutes!</P> Mon, 07 Oct 2013 20:10:09 GMT https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85857#M21921 sideview 2013-10-07T20:10:09Z https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85858#M21922 <P>Thanks very much! That was super helpful! Plus, I learned something new!</P> Mon, 07 Oct 2013 20:17:12 GMT https://community.splunk.com/t5/Splunk-Search/Finding-all-instances-of-a-field-greater-than-the-avg-of-that/m-p/85858#M21922 kultar 2013-10-07T20:17:12Z