Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the average of a field as a search parameter to filter results?

Shark2112
Communicator
‎02-24-2016 08:04 AM

Hey guys.

I want to search not standard hosts from witch users login at server.

For example:
user1 - 20 logins on host1, 20 logins on host2, and 5 logins on host3
user2 - 50 logins on host1, 5 logins on host2

user="testuser" | stats count by Workstations| stats avg(count) - this is average count of logins of one user (15 and 25.5 in my case)

And now I want to find all users which have logins on hosts with less than the average count (user 1 on host3 and user2 on host2 in my case).

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-24-2016 10:40 AM

Try something like this 

index=foo sourcetype=bar user=* | stats count by user Workstations | eventstats avg(count) as avg by user | where count<avg

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-24-2016 10:40 AM

Try something like this 

index=foo sourcetype=bar user=* | stats count by user Workstations | eventstats avg(count) as avg by user | where count<avg
Reply
Solved! Jump to solution

Shark2112
Communicator
‎02-24-2016 11:20 AM

seems bad =(
workstation dont grouped, avg is average from count, but not count of fields

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-24-2016 11:39 AM

Not sure I get it. What's problem with the result?

0 Karma
Reply
Solved! Jump to solution

Shark2112
Communicator
‎02-24-2016 12:13 PM

hostname | user | count | avg
host1 user1 3 797.368421
host2 user2 2 3010.000000
host2 user3 4 1.500000
e.t.c.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-24-2016 12:19 PM

So, it giving you list of all user and hostname combinations where count is less than avg count of user sessions for the user. Isn't that expectation?

0 Karma
Reply
Solved! Jump to solution

Shark2112
Communicator
‎02-24-2016 12:41 PM

yes, all work fine, i got wrong because of low\up case, thank for help!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...