Hi, I am hoping you can help me here.
I am running a search out of a saved search using the load job.. I did something like :

This produces a table of field cols that look like host1#maxpings , host2#maxpings etc.. Where max pings s the maximum pings that the host can have. Under these columns are the daily pingNumbers for these hosts.
something like :
โฆ...

-โฆโฆโฆโฆ host1#23โฆโฆโฆโฆ. host2#56.1

• day1 โฆโฆโฆ...3โฆโฆโฆโฆโฆโฆโฆโฆโฆ..4
• day2 โฆโฆโฆ..10โฆโฆโฆโฆโฆโฆโฆโฆ..11
• day3 โฆโฆโฆ..20โฆโฆโฆโฆโฆโฆโฆโฆโฆ.50

I need to find out if the average pings for 3 days is more than the numbering the column name. for example : in the above, I need to find for column1, (3+10+20)/3 < 23 and for column2 (4+11+50)/3 < 56.1 โฆ I should then show only those columns, where the avg number is less than the number in the columnโฆ
i want to pseudocode something like |loadjob savedsearch="abc:search:my search" | stats avg(*) as average(*) | where average < substring-after( col-name,'#') . So that this will show only those columns where the average is less than the number in the column.
I am losing hopes on the help from google and splunk docs. Help with this will be highly appreciated.
dT

I've recreated your table like this:

``````| gentimes start=-1 increment=2h | eval day=1 | accum day | eval day="day".day | eval host0#10=random()%50 | eval host1#20=random()%50 | eval host2#30=random()%50 | eval host3#40=random()%50 | eval host4#50=random()%50 | fields day host*
``````

Based on that, this may be the postprocessing you're looking for:

``````... | stats avg(*) as * | transpose | rename "row 1" as average column as host | eval limit=replace(host, "^.*?#", "") | where average < limit
``````

Compute averages, transpose and rename results, select part after "#", compare with average.

cool. thanks.I figured this out last night ๐