Solved: Advanced search for average and greater than

gagi76 · ‎05-26-2016

Hi,

can someone point me to the advanced search. I need to search for transactions from current day that are greater than average from last month?
For now i have starting search for average from last month... and don't know how to proceed further.

earliest="04/01/2016:00:00:00" latest="04/30/2016:23:59:59" | stats avg(Price)

somesoni2 · ‎05-26-2016

Something like this

index=yourindex sourcetype=yoursourcetype earliest=@d latest=now | where Price> [search index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon | stats avg(Price) as avg | return $avg ]  | table ..put required fields here...

View solution in original post

somesoni2 · ‎05-26-2016

Something like this

index=yourindex sourcetype=yoursourcetype earliest=@d latest=now | where Price> [search index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon | stats avg(Price) as avg | return $avg ]  | table ..put required fields here...

gagi76 · ‎05-27-2016

Great, thanks! Actually it worked with this one:

yoursourcetype earliest=@d latest=now | where Price > [search  earliest=-1mon@mon latest=@mon | stats avg(Price) as avg | return $avg ]  | table ..put required fields here...

Advanced search for average and greater than

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation