Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: Different Ranges queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Different Ranges queries
Hello. I need to calculate statistics like Avg, Count, from the past two weeks period.
What I want to do next is to check if the same measure in the days AFTER those two weeks are above it or not.
I Can't figure out if it is a join, append or something else to write... Here is what I've got:
index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15
| eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo
| eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo)
| eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo)
| eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo)
| eval Performance=case(executiontime>lim3,"High_Alert",executiontime>lim2,"Mid_Alert",executiontime>lim1,"Low_Alert",executiontime<lim1,"OK")
| eval Low=if(executiontime>lim1 AND executiontime<lim2,1,0)
| eval Mid=if(executiontime>lim2 AND executiontime<lim3,1,0)
| eval High=if(executiontime>lim3,1,0)
| eval OutQ=if(executiontime>lim1,1,0)
| stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh
Now I want to get those Avg and see where executiontime in the period
index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=9/6/2013:00:00:00 latest=now date_wday=friday date_hour=15
is going. Can you help please?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="pt_app_siebel" SWEMethod="ReconfigureCXProd" starttime=8/25/2013:00:00:00 latest=-24h date_wday=friday date_hour=15
| eventstats perc25(executiontime) as Q1Tempo, perc75(executiontime) as Q3Tempo
| eval lim1=Q3Tempo+3*(Q3Tempo-Q1Tempo)
| eval lim2=Q3Tempo+6*(Q3Tempo-Q1Tempo)
| eval lim3=Q3Tempo+10*(Q3Tempo-Q1Tempo)
| eval
Performance=case(executiontime>lim3,"High_Alert",executiontime>lim2,"Mid_Alert",executiontime>lim1,"Low_Alert",executiontime<lim1,"OK")
| eval Low=if(executiontime>lim1 AND executiontime<lim2,1,0)
| eval Mid=if(executiontime>lim2 AND executiontime<lim3,1,0)
| eval High=if(executiontime>lim3,1,0)
| eval OutQ=if(executiontime>lim1,1,0)
| stats avg(OutQ) as AvgOut,avg(Low) as AvgLow, avg(Mid) as AvgMid,avg(High) as AvgHigh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Format code blocks by blank lines before and after + 4 spaces at the start of each line, please.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
