Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find events where the event time duration is greater than the overall dynamic average time?

wandi
Explorer
‎08-09-2014 07:15 PM

I have a field named "time" where I have the time that an event took and a field named "tag" with the name of the event. I want to search all the tags that time are greater than overall time average. Something like:


source=avpiv2 | where time > [search source=apiv2 | stats avg(time) as averageTime | return averageTime]

but I'm receiving the error:
Error in 'where' command: The operator at '="20.436350"' is invalid.
(note that 20.43... is the dynamic number that I want to use in the comparison)

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gauldridge
Path Finder
‎08-09-2014 09:37 PM

Try this:

source=avpiv2 | where time > [search source=apiv2 | stats avg(time) as averageTime | fields averageTime | rename averageTime AS search]

When you rename a field to search in a subsearch, you get just the value of the field returned to your main search pipeline vice returning a field/value pair. So, your search is returning averageTime=20.436350 instead of just 20.436350 like you expect.

View solution in original post

Reply
Solved! Jump to solution
Solution

gauldridge
Path Finder
‎08-09-2014 09:37 PM

Try this:

source=avpiv2 | where time > [search source=apiv2 | stats avg(time) as averageTime | fields averageTime | rename averageTime AS search]

When you rename a field to search in a subsearch, you get just the value of the field returned to your main search pipeline vice returning a field/value pair. So, your search is returning averageTime=20.436350 instead of just 20.436350 like you expect.

Reply
Solved! Jump to solution

unnigec
Engager
‎03-01-2015 03:42 AM

since we are pulling out only averageTime here ...|fields averageTime does not do any extra job I suppose.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-11-2014 12:53 PM

Alternatively, your can use "| return $averageTime", if just running a search on Search App [ user "|return $$averageTime" in case of dashboards searches] instead of just " |return averageTime" in the subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...