https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313361#M93803 <P>trendline command along with timechart might work here.</P> <P>Ex:</P> <PRE><CODE>sourcetype= customermetric customer!= Unknown earliest=-3w |bin span=1h _time | stats sum(trVol) AS volume_hour by user,_time| trendline sma504(volume_hour) AS sma_avg|your logic to caluculate 50 % diff btw hour count vs avg |... search filters </CODE></PRE> Thu, 01 Jun 2017 18:28:12 GMT Ravan 2017-06-01T18:28:12Z https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313360#M93802 <P>Hello - I m collecting some user metrics in below format. customer's trVol ( transactionvolume) </P> <P>2017-05-29 04:50:01,customer=ABC,trVol=2009,elapsedtimeAvg=175.7988<BR /> 2017-05-29 04:50:01,customer=DEF,trVol=500,elapsedtimeAvg=50.2</P> <P>Now, i need to identify those customers who is sending 50% or more transactions in last 1 hour compared to the moving average of transaction volume for last 3 weeks</P> <P>Can you help me with the SPL?</P> <P>sourcetype= customermetric customer!= Unknown <BR /> | streamstats window=6 global=f avg(trVol) as rollingavg by customer</P> <P>Customer metric is gathered every 10 minutes.</P> Mon, 29 May 2017 09:15:30 GMT https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313360#M93802 vw5qb73 2017-05-29T09:15:30Z https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313361#M93803 <P>trendline command along with timechart might work here.</P> <P>Ex:</P> <PRE><CODE>sourcetype= customermetric customer!= Unknown earliest=-3w |bin span=1h _time | stats sum(trVol) AS volume_hour by user,_time| trendline sma504(volume_hour) AS sma_avg|your logic to caluculate 50 % diff btw hour count vs avg |... search filters </CODE></PRE> Thu, 01 Jun 2017 18:28:12 GMT https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313361#M93803 Ravan 2017-06-01T18:28:12Z https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313362#M93804 <P>Okay, so you have to calculate two pieces of information -</P> <P>(1) what is the customer's moving average transaction volume per unit of time for the last 3 weeks<BR /> (2) what is the customer's transaction volume for the most recent unit of time.</P> <P>Your best bet for efficiency will probably be to build a summary index, but let's ignore that for a moment.</P> <P>You apparently have the calculation for hourly average, so we drop in the 3-week average calculation (I think time_window works better than window for this matter) and then compare... </P> <PRE><CODE>sourcetype= customermetric customer!= Unknown | streamstats time_window=3w avg(trVol) as rollingavg3w by customer | streamstats window=6 global=f avg(trVol) as rollingavg1h by customer | where rollingavg1h&gt;1.5*rollingavg3w </CODE></PRE> Fri, 02 Jun 2017 03:25:25 GMT https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313362#M93804 DalJeanis 2017-06-02T03:25:25Z https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313363#M93805 <P>What I haven't commented on is the "50% more" part of your query. Unless your customers have VERY steady volumes, you would probably be better off calculating the 95th percentile (or something like that). Run a few runs and compare the p95 to 1.5*avg and see what the shape of your data really is. </P> <PRE><CODE> sourcetype= customermetric customer!= Unknown | streamstats time_window=3w avg(trVol) as W3avg p95(trVol) as W3p95 by customer | streamstats window=6 global=f avg(trVol) as rollingavg1h by customer | where rollingavg1h&gt;W3p95 </CODE></PRE> Fri, 02 Jun 2017 03:32:50 GMT https://community.splunk.com/t5/Splunk-Search/moving-average-query/m-p/313363#M93805 DalJeanis 2017-06-02T03:32:50Z