https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223527#M175927 <P>Try something like this</P> <P>Search 1: Runs weekly and updates your lookup table to store weekly (last week I'm assuming) baseline of the average and perc90 of the timing field.</P> <PRE><CODE>index=some_index sourcetype=some_perf method="Oracle*" earliest=-1w@w latest=@w| stats avg(timing) as LastWeekAverage perc90(timing) as LastWeekPercentile90 by method | outputlookup method_timing_baseline.csv </CODE></PRE> <P>Cron: <CODE>55 00 * * 1</CODE> (every monday 00:55AM)</P> <P>Now you can run your alert search reference this lookup to compare and alert.</P> <PRE><CODE>index=some_index sourcetype=some_perf method="Oracle*" earliest=-35m@m latest=-5m@m | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method | lookup method_timing_baseline.csv method OUTPUT LastWeekAverage LastWeekPercentile90 | where Average &gt;1.2*LastWeekAverage OR '90th Perc'&gt;1.2*LastWeekPercentile90 </CODE></PRE> <P>Cron : <CODE>5,35 * * * *</CODE> (every 30 mins on 5 and 35 minute of hour)</P> Sun, 08 Jan 2017 18:45:56 GMT somesoni2 2017-01-08T18:45:56Z https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223525#M175925 <P>I have a report that returns<BR /> method Avg(timing) perc90(timing)<BR /> that I would like to create as a baseline each week.<BR /> index=some_index sourcetype=some_perf method="Oracle*" | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method </P> <P>Then I would like to create an alert that runs say every half hour or hour that whenever the avg or per90 for a particular method deviates from the base by say 20% I would get a alert that we might have a problem in the database.</P> <P>I was thinking I would create a report of last weeks results as a lookup table and then do comparisons between each, but I'm not sure how.</P> <P>we have several customers that depend on the performance of our application and I'd like to be proactive if there is a sudden slowdown in the database</P> Tue, 29 Sep 2020 12:19:52 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223525#M175925 danoconnl 2020-09-29T12:19:52Z https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223526#M175926 <P>Is your search given here supposed to get Average and 90th Percentile for entire week or just last week same hour as current hour today?</P> Sun, 08 Jan 2017 17:34:58 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223526#M175926 niketn 2017-01-08T17:34:58Z https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223527#M175927 <P>Try something like this</P> <P>Search 1: Runs weekly and updates your lookup table to store weekly (last week I'm assuming) baseline of the average and perc90 of the timing field.</P> <PRE><CODE>index=some_index sourcetype=some_perf method="Oracle*" earliest=-1w@w latest=@w| stats avg(timing) as LastWeekAverage perc90(timing) as LastWeekPercentile90 by method | outputlookup method_timing_baseline.csv </CODE></PRE> <P>Cron: <CODE>55 00 * * 1</CODE> (every monday 00:55AM)</P> <P>Now you can run your alert search reference this lookup to compare and alert.</P> <PRE><CODE>index=some_index sourcetype=some_perf method="Oracle*" earliest=-35m@m latest=-5m@m | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method | lookup method_timing_baseline.csv method OUTPUT LastWeekAverage LastWeekPercentile90 | where Average &gt;1.2*LastWeekAverage OR '90th Perc'&gt;1.2*LastWeekPercentile90 </CODE></PRE> <P>Cron : <CODE>5,35 * * * *</CODE> (every 30 mins on 5 and 35 minute of hour)</P> Sun, 08 Jan 2017 18:45:56 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223527#M175927 somesoni2 2017-01-08T18:45:56Z https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223528#M175928 <P>my plan was to get the average for last week, because performance should be comparable within certain parameters +/- 10-or-20%. Really I'm looking for an alert when things have gone real bad and we'll start missing our SLAs</P> Sun, 08 Jan 2017 19:45:02 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223528#M175928 danoconnl 2017-01-08T19:45:02Z https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223529#M175929 <P>exactly what I was looking for as a starting point, thanks alot </P> Sun, 08 Jan 2017 19:46:16 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-performance-data-from-last-week-to-today-using-lookup/m-p/223529#M175929 danoconnl 2017-01-08T19:46:16Z