Hello - we are looking to present daily run time values of events in a search, but only display the daily run time values that are greater than the calculated 30 day run time average.
I've tried the `eventstats` with a `where` command, but doesn't seem like where plays nice with the values command. I tried using first instead of values, but that seems to skew the daily results. any suggestions? perhaps a sub search?
our_search
| eventstats values(duration_minutes) as run_time by firm_name
| eventstats avg(duration_minutes) as avg_time by firm_name
| where run_time>avg_time
| timechart span=1d values(run_time) by firm_name
↧