Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find events where the event time duration is greater than the overall dynamic average time?

wandi
Explorer
‎08-09-2014 07:15 PM

I have a field named "time" where I have the time that an event took and a field named "tag" with the name of the event. I want to search all the tags that time are greater than overall time average. Something like:


source=avpiv2 | where time > [search source=apiv2 | stats avg(time) as averageTime | return averageTime]

but I'm receiving the error:
Error in 'where' command: The operator at '="20.436350"' is invalid.
(note that 20.43... is the dynamic number that I want to use in the comparison)

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gauldridge
Path Finder
‎08-09-2014 09:37 PM

Try this:

source=avpiv2 | where time > [search source=apiv2 | stats avg(time) as averageTime | fields averageTime | rename averageTime AS search]

When you rename a field to search in a subsearch, you get just the value of the field returned to your main search pipeline vice returning a field/value pair. So, your search is returning averageTime=20.436350 instead of just 20.436350 like you expect.

View solution in original post

Reply
Solved! Jump to solution
Solution

gauldridge
Path Finder
‎08-09-2014 09:37 PM

Try this:

source=avpiv2 | where time > [search source=apiv2 | stats avg(time) as averageTime | fields averageTime | rename averageTime AS search]

When you rename a field to search in a subsearch, you get just the value of the field returned to your main search pipeline vice returning a field/value pair. So, your search is returning averageTime=20.436350 instead of just 20.436350 like you expect.

Reply
Solved! Jump to solution

unnigec
Engager
‎03-01-2015 03:42 AM

since we are pulling out only averageTime here ...|fields averageTime does not do any extra job I suppose.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-11-2014 12:53 PM

Alternatively, your can use "| return $averageTime", if just running a search on Search App [ user "|return $$averageTime" in case of dashboards searches] instead of just " |return averageTime" in the subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...