I've created a chart that only shows run times above a 60 day average and it's corresponding average, which works perfectly. However, now my users are looking to narrow these to occurrences that are 15% and higher than said average, evidently it's too difficult to look at the numbers I am already presenting. Any suggestions based on my existing search I have working?
index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| where duration_minutes > avg_time
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ search index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| stats avg(duration_minutes) as Average by firm_name]
↧