Solved: Re: Subsearch calculating average of hits and show...

changwoo · ‎07-08-2014

I am trying to make a subsearch which calculates the avg of the hits .
And showing the list of higher value than the avg.

i tried the search like this :
index= temp sourcetype = searchlog [search index = temp sourcetype = searchlog |stats avg(searchKeyword.hits) as avg | fields avg] | table avg

What's the problem ?

Suda · ‎07-08-2014

Hello,

Could you try to use "eventstats"?

I think the "Example 3" of eventstats would be the same as your requirement.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Eventstats

index=temp sourcetype=searchlog | eventstats avg(searchKeyword.hits) AS avg | where searchkeyword.hits > avg

I hope it helps you. Happy splunking!

View solution in original post

Suda · ‎07-08-2014

Hello,

Could you try to use "eventstats"?

I think the "Example 3" of eventstats would be the same as your requirement.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Eventstats

index=temp sourcetype=searchlog | eventstats avg(searchKeyword.hits) AS avg | where searchkeyword.hits > avg

I hope it helps you. Happy splunking!

changwoo · ‎07-09-2014

Thanks!!! it works perfect!!!

martin_mueller · ‎07-09-2014

Note, you need to enclose searchKeyword.hits in single quotes for the where (and the RHS of eval) commands:

... | where 'searchKeyword.hits' > avg

Else the command will interpret the dot as the string concatenation operator.

Subsearch calculating average of hits and showing list of values higher than the average?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services