Solved: How do I present run time values for the past 30 d...

fisuser1 · ‎08-23-2018

Hello - we are looking to present daily run time values of events in a search, but only display the daily run time values that are greater than the calculated 30 day run time average.

I've tried the eventstats with a where command, but doesn't seem like where plays nice with the values command. I tried using first instead of values, but that seems to skew the daily results. any suggestions? perhaps a sub search?

our_search

| eventstats values(duration_minutes) as run_time by firm_name 
| eventstats avg(duration_minutes) as avg_time by firm_name 
| where run_time>avg_time
| timechart span=1d values(run_time) by firm_name

fisuser1 · ‎08-23-2018

think I may have gotten it

mysearch

| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f

View solution in original post

fisuser1 · ‎08-23-2018

think I may have gotten it

mysearch

| bin _time span=30d
| eventstats avg(duration_minutes) as avg_time by firm_name
| where duration_minutes > avg_time
| chart values(duration_minutes) as run_time by firm_name date_wday useother=f

mstjohn_splunk · ‎08-23-2018

Hi @fisuser1 - Did your solution above work? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks and happy posting!

How do I present run time values for the past 30 days, but only display those that are greater than the average?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!