I have a line chart of some tasks and its duration. I am trying to add average of the duration of all tasks as threshold.
|stats values(duration) as "Duration(Hr)" by Task|sort Task|stats avg(duration) as threshold
I am not getting any results from the query.I have previously added threshold as a fixed value. Is there any different method to add a threshold value which is calculated not fixed.
No, the aggregate function works for all the stats and chart commands, eventstats adds the field to the events in the pipeline, whereas stats replaces the events in the pipeline
Splunk provide various training and certification opportunities
You can also download and setup trail instances to try things out.
You could look through the answers provided here and other community channels to see how other people have approached various problems.