- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to write a report that returns any report types where the 1 hour average Duration has exceed the average + 2 Standard Deviations for a running 24 hours. How can I compare these values?
I have a query, but the 1 hour average isn't showing up:
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h latest=now| stats avg(Duration) as avg stdev(Duration) as standdev by ReportType | eval two = 2* standdev | eval avgts = avg + two | append [ search index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest=-1h latest=now | stats avg(Duration) as nowavg ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![lguinn2 lguinn2](https://community.splunk.com/legacyfs/online/avatars/109473.jpg)
First, I have a question: what do you get when you run the two searches independently? That is, what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h latest=now| stats avg(Duration) as avg stdev(Duration) as standdev by ReportType | eval two = 2* standdev | eval avgts = avg + two
And what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest=-1h latest=now | stats avg(Duration) as nowavg
I think you will get a number of results for the first search (one for each ReportType) and only 1 result for the second search. I think I would do it this way
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as avg stdev(Duration) as standdev by ReportType |
eval avgts = avg + ( 2* standdev ) |
fields ReportType avgts |
join ReportType [ search
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -1h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as nowavg by ReportType |
fields ReportType nowavg ] |
where nowavg > avgts
Hope this works for you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![lguinn2 lguinn2](https://community.splunk.com/legacyfs/online/avatars/109473.jpg)
First, I have a question: what do you get when you run the two searches independently? That is, what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h latest=now| stats avg(Duration) as avg stdev(Duration) as standdev by ReportType | eval two = 2* standdev | eval avgts = avg + two
And what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest=-1h latest=now | stats avg(Duration) as nowavg
I think you will get a number of results for the first search (one for each ReportType) and only 1 result for the second search. I think I would do it this way
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as avg stdev(Duration) as standdev by ReportType |
eval avgts = avg + ( 2* standdev ) |
fields ReportType avgts |
join ReportType [ search
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -1h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as nowavg by ReportType |
fields ReportType nowavg ] |
where nowavg > avgts
Hope this works for you!
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)