Splunk Search
Highlighted

How to use the average of a field as a search parameter to filter results?

Communicator

Hey guys.

I want to search not standard hosts from witch users login at server.

For example:
user1 - 20 logins on host1, 20 logins on host2, and 5 logins on host3
user2 - 50 logins on host1, 5 logins on host2

user="testuser" | stats count by Workstations| stats avg(count) - this is average count of logins of one user (15 and 25.5 in my case)

And now I want to find all users which have logins on hosts with less than the average count (user 1 on host3 and user2 on host2 in my case).

Tags (4)
0 Karma
Highlighted

Re: How to use the average of a field as a search parameter to filter results?

SplunkTrust
SplunkTrust

Try something like this

index=foo sourcetype=bar user=* | stats count by user Workstations | eventstats avg(count) as avg by user | where count<avg 

View solution in original post

Highlighted

Re: How to use the average of a field as a search parameter to filter results?

Communicator

seems bad =(
workstation dont grouped, avg is average from count, but not count of fields

0 Karma
Highlighted

Re: How to use the average of a field as a search parameter to filter results?

SplunkTrust
SplunkTrust

Not sure I get it. What's problem with the result?

0 Karma
Highlighted

Re: How to use the average of a field as a search parameter to filter results?

Communicator

hostname | user | count | avg
host1 user1 3 797.368421
host2 user2 2 3010.000000
host2 user3 4 1.500000
e.t.c.

0 Karma
Highlighted

Re: How to use the average of a field as a search parameter to filter results?

SplunkTrust
SplunkTrust

So, it giving you list of all user and hostname combinations where count is less than avg count of user sessions for the user. Isn't that expectation?

0 Karma
Highlighted

Re: How to use the average of a field as a search parameter to filter results?

Communicator

yes, all work fine, i got wrong because of low\up case, thank for help!

0 Karma