Reporting

What is the best way to generate a report to compare average time over last 30 days with today's average time?

uhkc777
Explorer

I want to compare Avg time to process over last 30 days data and Avg time for today. If today's Avg is < 30 days Avg i need to generate a report. I can write it by using append command to calculate average over last 30 days but it's taking lot of time to load every time. Is there any other way to built this?.

I read about summary indexing but not sure how is it helpful in this situation.

Any suggestions on this is helpful for me.

Thanks,

0 Karma

somesoni2
Revered Legend

Assuming you already got the query using append/appendcols to get and compare the average and only performance is the issue, I believe summary indexing/or datamodel will definitely help here. The query for last 30 days would be the one causing slower performance and if you can pre-calculate that (calculate running last 30 day average), it will be become faster.

0 Karma

uhkc777
Explorer

Thank you. How can I use datamodel in this?

0 Karma

somesoni2
Revered Legend

YOu can create data model for your base search (more info here)
and then accelerate it for appropriate Summary Range (30 day time period, see more info here ).

Then use the data model query to calculate 30 day (you can also use it for today's) average values. Will be much faster.

0 Karma

sundareshr
Legend

Try this

index=foo sourcetype=foo earliest=-3d@d | eval when=if(_time>relative_time(now(), "@d"), "Today", "Month") | stats avg(response_time) as avgtime by when

uhkc777
Explorer

What is Today and Month in eval?. It's taking it as strings.

0 Karma

sundareshr
Legend

Those values/strings are set based on the _time value. If _time is greater/newer than start of the day (@d), then it is Today, else Month

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...