Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trend scenario II- three dimensional data

reverse
Contributor
‎05-19-2019 09:26 AM

https://answers.splunk.com/answers/746994/trend-scenario-three-dimensional-data.html#comment-747409

Extending this problem ...I want to show only those results (pages\action combo) for which daily average processing time has worsen the most... let's say by 10 % ... or to make it simple ... top 10 worst performing results (pages\action combo) since the start of time range .. example .. comparing today with 7th day before [last 7 days]..
this is really complex...

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-19-2019 11:16 PM

Hi again @reverse,

So starting with this from the previous question :

 ... |bucket span=1h _time | stats avg(processing_time) as average_processing_time by page_id ,action_id,_time

You have to add this :

| eval week_day=strftime(_time,"%w") 
| eventstats avg(average_processing_time) as average_trend by week_day, page_id ,action_id
| eval processing_time_change=(average_processing_time/average_trend)*100 
| where processing_time_change>10 
| sort 10 -processing_time_change

This will first build an avg for a specific results over the same day of the previous weeks. Then calculate the current change in processing time compared to the overall average. Then give you the top 10 biggest changes.

Cheers,
David

0 Karma
Reply

reverse
Contributor
‎05-20-2019 11:45 AM

it says - "No results found."

0 Karma
Reply

reverse
Contributor
‎05-20-2019 11:46 AM

no results after eventstats

|bucket span=1d _time | stats avg(tran_time_ms) by page_id ,action,_time| eval week_day=strftime(_time,"%w")
| eventstats avg(average_processing_time) as average_trend by week_day, page_id ,action_id

0 Karma
Reply

DavidHourani
Super Champion
‎05-20-2019 10:41 PM

ah yes, you're not using the same fields in your stats and eventstats, make sure you align your field names and use the ones from your logs for tran_time_ms, action and the rest ^^

0 Karma
Reply

nabeel652
Builder
‎05-19-2019 06:06 PM

You can modify this code according to your requirements:

| eval day_of_week=strftime(_time,"%w")  | stats sum(count) as sum by day_of_week _time | sort by day_of_week | streamstats last(sum) as lastSum  current=false window=1 | where isnotnull(lastSum) | eval change = (sum-lastSum)/lastSum*100 | where change>15
0 Karma
Reply

nabeel652
Builder
‎05-19-2019 06:08 PM

day_of_week is 0-6 (Sunday-Saturday)

0 Karma
Reply

nabeel652
Builder
‎05-19-2019 05:14 PM

you mean you want to compare this Monday with last Monday and so on?

0 Karma
Reply

reverse
Contributor
‎05-19-2019 05:25 PM

yo got it .. whatever is the date range .. last day -first day and worse 10

0 Karma
Reply

DavidHourani
Super Champion
‎05-19-2019 11:02 PM

do you always have values for your pages ? Because in this case if it's a new page with bad performance it won't show at all.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...