Getting Data In

Trend scenario II- three dimensional data

reverse
Contributor

https://answers.splunk.com/answers/746994/trend-scenario-three-dimensional-data.html#comment-747409

Extending this problem ...I want to show only those results (pages\action combo) for which daily average processing time has worsen the most... let's say by 10 % ... or to make it simple ... top 10 worst performing results (pages\action combo) since the start of time range .. example .. comparing today with 7th day before [last 7 days]..
this is really complex...

Tags (1)
0 Karma

DavidHourani
Super Champion

Hi again @reverse,

So starting with this from the previous question :

 ... |bucket span=1h _time | stats avg(processing_time) as average_processing_time by page_id ,action_id,_time

You have to add this :

| eval week_day=strftime(_time,"%w") 
| eventstats avg(average_processing_time) as average_trend by week_day, page_id ,action_id
| eval processing_time_change=(average_processing_time/average_trend)*100 
| where processing_time_change>10 
| sort 10 -processing_time_change

This will first build an avg for a specific results over the same day of the previous weeks. Then calculate the current change in processing time compared to the overall average. Then give you the top 10 biggest changes.

Cheers,
David

0 Karma

reverse
Contributor

it says - "No results found."

0 Karma

reverse
Contributor

no results after eventstats

|bucket span=1d _time | stats avg(tran_time_ms) by page_id ,action,_time| eval week_day=strftime(_time,"%w")
| eventstats avg(average_processing_time) as average_trend by week_day, page_id ,action_id

0 Karma

DavidHourani
Super Champion

ah yes, you're not using the same fields in your stats and eventstats, make sure you align your field names and use the ones from your logs for tran_time_ms, action and the rest ^^

0 Karma

nabeel652
Builder

You can modify this code according to your requirements:

| eval day_of_week=strftime(_time,"%w")  | stats sum(count) as sum by day_of_week _time | sort by day_of_week | streamstats last(sum) as lastSum  current=false window=1 | where isnotnull(lastSum) | eval change = (sum-lastSum)/lastSum*100 | where change>15
0 Karma

nabeel652
Builder

day_of_week is 0-6 (Sunday-Saturday)

0 Karma

nabeel652
Builder

you mean you want to compare this Monday with last Monday and so on?

0 Karma

reverse
Contributor

yo got it .. whatever is the date range .. last day -first day and worse 10

0 Karma

DavidHourani
Super Champion

do you always have values for your pages ? Because in this case if it's a new page with bad performance it won't show at all.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...