Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch calculating average of hits and showing list of values higher than the average?

changwoo
Communicator
‎07-08-2014 10:10 PM

I am trying to make a subsearch which calculates the avg of the hits .
And showing the list of higher value than the avg.

i tried the search like this :
index= temp sourcetype = searchlog [search index = temp sourcetype = searchlog |stats avg(searchKeyword.hits) as avg | fields avg] | table avg

What's the problem ?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Suda
Communicator
‎07-08-2014 11:39 PM

Hello,

Could you try to use "eventstats"?

I think the "Example 3" of eventstats would be the same as your requirement.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Eventstats

index=temp sourcetype=searchlog | eventstats avg(searchKeyword.hits) AS avg | where searchkeyword.hits > avg

I hope it helps you. Happy splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

Suda
Communicator
‎07-08-2014 11:39 PM

Hello,

Could you try to use "eventstats"?

I think the "Example 3" of eventstats would be the same as your requirement.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Eventstats

index=temp sourcetype=searchlog | eventstats avg(searchKeyword.hits) AS avg | where searchkeyword.hits > avg

I hope it helps you. Happy splunking!

Reply
Solved! Jump to solution

changwoo
Communicator
‎07-09-2014 12:46 AM

Thanks!!! it works perfect!!!

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-09-2014 12:43 AM

Note, you need to enclose searchKeyword.hits in single quotes for the where (and the RHS of eval) commands:

... | where 'searchKeyword.hits' > avg

Else the command will interpret the dot as the string concatenation operator.

Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...