Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Declaring a timeframe for event/stats and using the result in another search

ReufRamon
New Member
‎08-19-2017 10:53 AM

Hello everyone,

I have indexed a number of events which all have an "Amount" field. I have to search for events from the past week whose Amount value is greater than the average Amount value of the past month. The thing I have issues with is differentiating the timeframe in which the average Amount is calculated from the timeframe of the events that need to be found. I have tried using subsearches like this:

earliest=-1w@d [search earliest=-m@d | eventstats avg(Amount) as avgAmount | where Amount > avgAmount]
earliest=-1m@d | eventstats avg(Amount) as avgAmount | where Amount > avgAmount [search earliest=-1w@d]

but neither attempt worked. I am new to Splunk (if it isn't already obvious) and all suggestions are appreciated.

Tags (2)
0 Karma
Reply

ReufRamon
New Member
‎08-20-2017 02:53 AM

I managed to do it using join:

earliest=-1m@d | eventstats avg(Amount) as avgAmount | where Amount > avgAmount | join type=inner _time [search earliest=-1w@d]
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-19-2017 12:14 PM

If you just want to compare the average of all the events last week versus last month it looks like this:

index=someIndex earliest=-1w@w latest=@w | stats avg(Amount) as lastWeekAvg | appendcols [ search index=someIndex earliest=-2m@m latest=-1m@m | stats avg(Amount) as lastMonthAvg]

But you want to do per event which means you need some by clause on your stats command. Say you're doing avg(Amount) by serverName...

index=someIndex earliest=-1w@w latest=@w | stats avg(Amount) as lastWeekAvg by serverName| appendcols [ search index=someIndex earliest=-2m@m latest=-1m@m | stats avg(Amount) as lastMonthAvg by serverName] | where lastWeekAvg > lastMonthAvg
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...