Dashboards & Visualizations

Trend scenario - three dimensional data

reverse
Contributor

So In my logs I have transaction_id, processing_time, page_id and action done on page action_id
processing time is per action.

I need to show a trend of actions/pages for which daily average processing_time is continuously increasing over a selected time period.

Please guide,

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @reverse,

You're looking for something like this :

... | chart avg(processing_time) values(transaction_id) as transaction_id, values(action_id) as action_id by _time span=1d 

You can play around with the span if needed.

More info about using chart command here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Chart

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @reverse,

You're looking for something like this :

... | chart avg(processing_time) values(transaction_id) as transaction_id, values(action_id) as action_id by _time span=1d 

You can play around with the span if needed.

More info about using chart command here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Chart

Cheers,
David

0 Karma

reverse
Contributor

it is showing only 1 entry avg(processing_time and all pages listed in single row against a date ..
transaction_id is not relevant here .. page_id is ...

0 Karma

reverse
Contributor
2019-05-18  187.80
                    A
                    B
                    C
                    D
                    E
                    I
0 Karma

DavidHourani
Super Champion

oh so you want to have your page_idas "by" for the chart ? I thought it's just the _time

reverse
Contributor

I am trying to find out pages which are deteriorating over time..
each page has actions ..

page_id has multiple action_id (which makes data 3d) and there is also individual transaction processing time for each action on every page..

0 Karma

DavidHourani
Super Champion

okay so from what you're saying, the three dimensions are page_id that contains action_idand we need the avg processing_time for each of the action_id :

 ... | chart avg(processing_time) by transaction_id ,action_id

DavidHourani
Super Champion

You can also add the time using the bucket command and a span..in this case 1hour :

... |bucket span=1h _time | stats avg(processing_time) by transaction_id ,action_id,_time

reverse
Contributor

this worked !.. i replaced transaction_id with page_id

0 Karma

DavidHourani
Super Champion

put your other question in another question and post the link here lol I don't really understand this one 😄

0 Karma

reverse
Contributor

Since data is in multiple rows by_time. .. I need the difference of last time and first time a nd then top 10 .. so that top 10 slow pages can be identified. Simple

0 Karma

DavidHourani
Super Champion

hahah you're welcome ! plz up vote the comments and answer and accept and let me see for your next question

0 Karma

reverse
Contributor

thanks for your help!!!!!! Now .. more complexity ..
there are 250 pages .. each page has minimum 3 actions ...

I want to show only those results (pages\action combo) for which daily average processing time has increased lets say by 10 % ... or to make it simple ... top 10 worst performing results (pages\action combo) since the start of time range .. example .. comparing today with 7th day before [last 7 days]..
this is really complex...

0 Karma

reverse
Contributor

..as if it is showing avg of all pages

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...