Solved: Advanced search for average and greater than

gagi76 · ‎05-26-2016

Hi,

can someone point me to the advanced search. I need to search for transactions from current day that are greater than average from last month?
For now i have starting search for average from last month... and don't know how to proceed further.

earliest="04/01/2016:00:00:00" latest="04/30/2016:23:59:59" | stats avg(Price)

somesoni2 · ‎05-26-2016

Something like this

index=yourindex sourcetype=yoursourcetype earliest=@d latest=now | where Price> [search index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon | stats avg(Price) as avg | return $avg ]  | table ..put required fields here...

View solution in original post

somesoni2 · ‎05-26-2016

Something like this

index=yourindex sourcetype=yoursourcetype earliest=@d latest=now | where Price> [search index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon | stats avg(Price) as avg | return $avg ]  | table ..put required fields here...

gagi76 · ‎05-27-2016

Great, thanks! Actually it worked with this one:

yoursourcetype earliest=@d latest=now | where Price > [search  earliest=-1mon@mon latest=@mon | stats avg(Price) as avg | return $avg ]  | table ..put required fields here...

Advanced search for average and greater than

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Advanced search for average and greater than

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!