https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378841#M95255 <P>ah yes, you're not using the same fields in your <CODE>stats</CODE> and <CODE>eventstats</CODE>, make sure you align your field names and use the ones from your logs for tran_time_ms, action and the rest ^^</P> Wed, 30 Sep 2020 00:38:34 GMT DavidHourani 2020-09-30T00:38:34Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378832#M95246 <P><A href="https://answers.splunk.com/answers/746994/trend-scenario-three-dimensional-data.html#comment-747409">https://answers.splunk.com/answers/746994/trend-scenario-three-dimensional-data.html#comment-747409</A></P> <P>Extending this problem ...I want to show only those results (pages\action combo) for which daily average processing time has worsen the most... let's say by 10 % ... or to make it simple ... top 10 worst performing results (pages\action combo) since the start of time range .. example .. comparing today with 7th day before [last 7 days]..<BR /> this is really complex...</P> Sun, 19 May 2019 16:26:34 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378832#M95246 reverse 2019-05-19T16:26:34Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378833#M95247 <P>you mean you want to compare this Monday with last Monday and so on?</P> Mon, 20 May 2019 00:14:30 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378833#M95247 nabeel652 2019-05-20T00:14:30Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378834#M95248 <P>yo got it .. whatever is the date range .. last day -first day and worse 10</P> Mon, 20 May 2019 00:25:05 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378834#M95248 reverse 2019-05-20T00:25:05Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378835#M95249 <P>You can modify this code according to your requirements:</P> <PRE><CODE>| eval day_of_week=strftime(_time,"%w") | stats sum(count) as sum by day_of_week _time | sort by day_of_week | streamstats last(sum) as lastSum current=false window=1 | where isnotnull(lastSum) | eval change = (sum-lastSum)/lastSum*100 | where change&gt;15 </CODE></PRE> Mon, 20 May 2019 01:06:01 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378835#M95249 nabeel652 2019-05-20T01:06:01Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378836#M95250 <P>day_of_week is 0-6 (Sunday-Saturday)</P> Wed, 30 Sep 2020 00:36:23 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378836#M95250 nabeel652 2020-09-30T00:36:23Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378837#M95251 <P>do you always have values for your pages ? Because in this case if it's a new page with bad performance it won't show at all.</P> Mon, 20 May 2019 06:02:38 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378837#M95251 DavidHourani 2019-05-20T06:02:38Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378838#M95252 <P>Hi again @reverse,</P> <P>So starting with this from the previous question :</P> <PRE><CODE> ... |bucket span=1h _time | stats avg(processing_time) as average_processing_time by page_id ,action_id,_time </CODE></PRE> <P>You have to add this :</P> <PRE><CODE>| eval week_day=strftime(_time,"%w") | eventstats avg(average_processing_time) as average_trend by week_day, page_id ,action_id | eval processing_time_change=(average_processing_time/average_trend)*100 | where processing_time_change&gt;10 | sort 10 -processing_time_change </CODE></PRE> <P>This will first build an avg for a specific results over the same day of the previous weeks. Then calculate the current change in processing time compared to the overall average. Then give you the top 10 biggest changes.</P> <P>Cheers,<BR /> David</P> Mon, 20 May 2019 06:16:00 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378838#M95252 DavidHourani 2019-05-20T06:16:00Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378839#M95253 <P>it says - "No results found."</P> Mon, 20 May 2019 18:45:41 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378839#M95253 reverse 2019-05-20T18:45:41Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378840#M95254 <P>no results after eventstats</P> <P>|bucket span=1d _time | stats avg(tran_time_ms) by page_id ,action,_time| eval week_day=strftime(_time,"%w") <BR /> | eventstats avg(average_processing_time) as average_trend by week_day, page_id ,action_id</P> Wed, 30 Sep 2020 00:37:02 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378840#M95254 reverse 2020-09-30T00:37:02Z https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378841#M95255 <P>ah yes, you're not using the same fields in your <CODE>stats</CODE> and <CODE>eventstats</CODE>, make sure you align your field names and use the ones from your logs for tran_time_ms, action and the rest ^^</P> Wed, 30 Sep 2020 00:38:34 GMT https://community.splunk.com/t5/Getting-Data-In/Trend-scenario-II-three-dimensional-data/m-p/378841#M95255 DavidHourani 2020-09-30T00:38:34Z