Solved: Trend scenario - three dimensional data

reverse · ‎05-19-2019

So In my logs I have transaction_id, processing_time, page_id and action done on page action_id
processing time is per action.

I need to show a trend of actions/pages for which daily average processing_time is continuously increasing over a selected time period.

Please guide,

DavidHourani · ‎05-19-2019

Hi @reverse,

You're looking for something like this :

... | chart avg(processing_time) values(transaction_id) as transaction_id, values(action_id) as action_id by _time span=1d

You can play around with the span if needed.

More info about using chart command here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Chart

Cheers,
David

View solution in original post

DavidHourani · ‎05-19-2019

Hi @reverse,

You're looking for something like this :

... | chart avg(processing_time) values(transaction_id) as transaction_id, values(action_id) as action_id by _time span=1d

You can play around with the span if needed.

More info about using chart command here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Chart

Cheers,
David

reverse · ‎05-19-2019

it is showing only 1 entry avg(processing_time and all pages listed in single row against a date ..
transaction_id is not relevant here .. page_id is ...

reverse · ‎05-19-2019

2019-05-18  187.80
                    A
                    B
                    C
                    D
                    E
                    I

DavidHourani · ‎05-19-2019

oh so you want to have your page_idas "by" for the chart ? I thought it's just the _time

reverse · ‎05-19-2019

I am trying to find out pages which are deteriorating over time..
each page has actions ..

page_id has multiple action_id (which makes data 3d) and there is also individual transaction processing time for each action on every page..

DavidHourani · ‎05-19-2019

okay so from what you're saying, the three dimensions are page_id that contains action_idand we need the avg processing_time for each of the action_id :

 ... | chart avg(processing_time) by transaction_id ,action_id

DavidHourani · ‎05-19-2019

You can also add the time using the bucket command and a span..in this case 1hour :

... |bucket span=1h _time | stats avg(processing_time) by transaction_id ,action_id,_time

reverse · ‎05-19-2019

this worked !.. i replaced transaction_id with page_id

DavidHourani · ‎05-19-2019

put your other question in another question and post the link here lol I don't really understand this one 😄

reverse · ‎05-19-2019

https://answers.splunk.com/answers/747008/trend-scenario-ii-three-dimensional-data.html?minQuestionB...

reverse · ‎05-19-2019

Since data is in multiple rows by_time. .. I need the difference of last time and first time a nd then top 10 .. so that top 10 slow pages can be identified. Simple

DavidHourani · ‎05-19-2019

hahah you're welcome ! plz up vote the comments and answer and accept and let me see for your next question

reverse · ‎05-19-2019

thanks for your help!!!!!! Now .. more complexity ..
there are 250 pages .. each page has minimum 3 actions ...

I want to show only those results (pages\action combo) for which daily average processing time has increased lets say by 10 % ... or to make it simple ... top 10 worst performing results (pages\action combo) since the start of time range .. example .. comparing today with 7th day before [last 7 days]..
this is really complex...

reverse · ‎05-19-2019

..as if it is showing avg of all pages

Trend scenario - three dimensional data

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout