Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare percentages with a week ago

ShagVT
Path Finder
‎08-12-2020 01:37 PM

Hello all, I'm trying to put together a dashboard that - among other things - compares the success rate of various transactions over the last hour with the same hour a week ago.  My base search results in rows that have two fields I particularly care about: event_name and event_status.

My desired outcome would look something like this:

event_nameLast hourLast Week
event195%96%
event285%41%
event372%100%
event425%69%

 

Here is the current query i have, which seems to basically work.

<base query> earliest=-169h@h latest=now
| fields + event_name, event_status, _time
| fields - _raw
| eval weekAgoHour = relative_time(now(), "-168h@h")
| eval lastHour = relative_time(now(), "-1h@h")
| eval ReportKey = "omit"
| eval ReportKey = case(_time < weekAgoHour,"Last Week", _time > lastHour,"Last Hour")
| where ReportKey != "omit"
| eventstats count(eval(event_status=="FAILED")) as FailedCount, count(eval(event_status=="SUCCESS")) as SuccessCount by event_name, ReportKey
| eval pctSuccess = round(SuccessCount/(SuccessCount+FailedCount)*100, 1)."%"
| chart values(pctSuccess) by event_name, ReportKey

 

The problem here is that it has to look at hundreds of millions of irrelevant rows ... everything that has happened in the last 169 hours.  Surely there must be a more efficient way to do this?  Maybe with multisearch?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ShagVT
Path Finder
‎08-25-2020 06:20 AM

For other intrepid developers, here is the approach I have worked out which seems to have worked pretty well.  Again, event_status and event_name are my own fields.  The results are a little more complex as well ... they show both the absolute counts as well as the percentages.  Also, having the time controls on the inner search allowed me to create a dropdown on a dashboard that included a number of predefined selections for timing by creating a field that contains values like "earliest=-169h@h latest=-168h@h" which I can then insert as a simple variable like $previousTimeWindow$ in place of those fields in the inner query.

<base query>
| fields + event_name, event_status, _time
| fields - _raw
| stats count(eval(event_status=="SUCCESS")) as SuccessCount, count(eval(event_status=="FAILED")) as FailedCount by event_name
| eval "Percent Success" = round(SuccessCount/(SuccessCount+FailedCount)*100, 1)."%"
| eval ReportKey="Current"
| append
[ search <base query> earliest=-169h@h latest=-168h@h
| fields + event_name, event_status, _time
| fields - _raw
| stats count(eval(event_status=="SUCCESS")) as SuccessCount, count(eval(event_status=="FAILED")) as FailedCount by event_name
| eval "Percent Success" = round(SuccessCount/(SuccessCount+FailedCount)*100, 1)."%"
| eval ReportKey="Previous"]
| chart values(SuccessCount), values(FailedCount), values("Percent Success") by event_name, ReportKey
| rename "values(FailedCount): Current" as "Current Failed", "values(FailedCount): Previous" as "Previous Failed", "values(Percent Success): Current" as "Current Success Rate", "values(Percent Success): Previous" as "Previous Success Rate", "values(SuccessCount): Current" as "Current Success", "values(SuccessCount): Previous" as "Previous Success", "event_name" as "Event Name"
| fields "Event Name", "Current Success", "Current Failed", "Current Success Rate", "Previous Success", "Previous Failed", "Previous Success Rate"

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-12-2020 01:49 PM

One option is to check out the Timewrap app (custom search command) to see if it meets your needs. It's dated, but should still work. Here is a Blog post from the author on the topic.

0 Karma
Reply

ShagVT
Path Finder
‎08-12-2020 02:02 PM

I saw this.  Unfortunately in our locked down corporate environment I don't think I can install apps like this.

0 Karma
Reply

to4kawa
Ultra Champion
‎08-12-2020 02:33 PM

<base query> (earliest=-169h@h latest=168h@h) OR earliest=@h | eval lastweek=if(_time>=relative_time(now(),"@h"),"lasthour","lastweek")

 

try lastweek variables.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...