Splunk Search

Compare Values from Stats Function

whunterj
Explorer

I have a search that returns two different values for avg_duration. These values are an average of all the the values that fall under that state of either NEW or OLD. What I need to do now is access the avg_duration's separately in order to determing whether the avg_duration for the NEW or OLD is bigger. The search is:

| sort targetId timestamp
| stats first(timestamp) as start, last(timestamp) as end, first(task) as task0, last(task) as task1, first(status) as status0, last(status) as status1 by targetId
| eval curr_time=now()
| eval start_time=if(status0="Started" AND task0="Build CI" AND status1="Completed", strptime(start, "%m/%d/%Y %l:%M:%S %p"), 0) 
| eval start_time=ifnull(start_time, strptime(start, "%Y-%m-%dT%H:%M:%SZ")) 
| eval start_time=ifnull(start_time, strptime(start, "%Y-%m-%dT%H:%M:%S.%QZ")) 
| eval end_time = if(status0="Started" AND task0="Build CI" AND status1="Completed", strptime(end, "%m/%d/%Y %l:%M:%S %p"), 0) 
| eval end_time=ifnull(end_time, strptime(end, "%Y-%m-%dT%H:%M:%SZ")) 
| eval end_time=ifnull(end_time, strptime(end, "%Y-%m-%dT%H:%M:%S.%QZ")) 
| eval start_time=round(start_time, 2) 
| eval end_time=round(end_time, 2)
| eval duration=if(status0="Started" AND task0="Build CI" AND status1="Completed", end_time-start_time, "No Duration")
| where duration!="No Duration"
| eval state=if(start_time+1296000>=curr_time, "NEW", "OLD") 
| stats avg(duration) as avg_duration by state

The search and output are shown in the attached picture.

alt text

Tags (2)
0 Karma

niyaz006
Path Finder

"| sort 1 -avg_duration" should give you whichever is the biggest

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...