Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Different Ranges queries

TiagoMatos
Path Finder
‎09-06-2013 10:48 AM

Hello. I need to calculate statistics like Avg, Count, from the past two weeks period.

What I want to do next is to check if the same measure in the days AFTER those two weeks are above it or not.

I Can't figure out if it is a join, append or something else to write... Here is what I've got:


index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15
| eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo
| eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo)
| eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo)
| eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo)
| eval Performance=case(executiontime>lim3,"High_Alert",executiontime>lim2,"Mid_Alert",executiontime>lim1,"Low_Alert",executiontime<lim1,"OK")
| eval Low=if(executiontime>lim1 AND executiontime<lim2,1,0)
| eval Mid=if(executiontime>lim2 AND executiontime<lim3,1,0)
| eval High=if(executiontime>lim3,1,0)
| eval OutQ=if(executiontime>lim1,1,0)
| stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh

Now I want to get those Avg and see where executiontime in the period

index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=9/6/2013:00:00:00 latest=now date_wday=friday date_hour=15

is going. Can you help please?

Thank you

Tags (3)
0 Karma
Reply

TiagoMatos
Path Finder
‎09-06-2013 02:39 PM 
index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15

| eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo 

| eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo) 

| eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo)

| eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo) 

| eval     
Performance=case(executiontime>lim3,"High_Alert",executiontime>lim2,"Mid_Alert",executiontime>lim1,"Low_Alert",executiontime<lim1,"OK") 

| eval Low=if(executiontime>lim1 AND executiontime<lim2,1,0) 

| eval Mid=if(executiontime>lim2 AND executiontime<lim3,1,0) 

| eval High=if(executiontime>lim3,1,0) 

| eval OutQ=if(executiontime>lim1,1,0) 

| stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh
0 Karma
Reply

Ayn
Legend
‎09-06-2013 11:00 AM

Format code blocks by blank lines before and after + 4 spaces at the start of each line, please.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...