Splunk Search

Compare responseTime field toady to last week without using append

appache
Path Finder

Hello, I have a problem comparing responseTime field last minute with last week (monday - sunday).
Below query give the results what i am seeking for, but append command limits to 50000 events, So avg(responseTime) is not accurate for the last week.

index=abc sourcetype=123
| eval responseTime1=responseTime/1000
| append [search index=abc earliest=-1w@w1 latest=@w1 sourcetype=123 | eval responseTime7=responseTime/1000 ]

| stats avg(responseTime1) AS one avg(responseTime7) AS two by application

I have tried many examples which i found in splunk answers but none of them are suitable for my requirement.

Can someone help me with this one?

Thank you very much in advance!...

0 Karma
1 Solution

sundareshr
Legend

Try this

index=abc sourcetype=123 earliest=-1w@w1 
| eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
| eval responseTime=responseTime/1000 
| chart avg(responseTime) AS one by application when

The relative_time function checks to see if time the event occured is greater than -1min from now, it considers it as current. You can adjust the -1m to whatever you need it to be.

View solution in original post

0 Karma

sundareshr
Legend

See of this gives you some ideas

index=abc sourcetype=123 earliest=-1w@w1 
  | eval when=case(_time>relative_time(now(), "-1m@m"), "Current", _time>relative_time(now(), "-1w@w1") AND _time<relative_time(now(), "-1w@w6"), "Last Week", 1=1, "Somewhere in between")
  | eval responseTime=responseTime/1000 
  | stats avg(eval(if(when="Current", responseTime, null()) as Current avg(eval(if(when="Last Week", responseTime, null()) as "Last Week"
0 Karma

sundareshr
Legend

Try this

index=abc sourcetype=123 earliest=-1w@w1 
| eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
| eval responseTime=responseTime/1000 
| chart avg(responseTime) AS one by application when

The relative_time function checks to see if time the event occured is greater than -1min from now, it considers it as current. You can adjust the -1m to whatever you need it to be.

0 Karma

appache
Path Finder

Thankyou so much sundareshr, your query did helped me out appreciate your quick response. i need to have this query in ITSI in ITSI i need to specify threshold field "Current" and "Last week" as kpi to monitor real time.
is there a way i could divide the field "when" into two separate fields "Current" and Last week".

0 Karma

sundareshr
Legend

You mean something like this?

eval Current=if(_time>relative_time(now(), "-1m@m"), 1, 0)  | eval "Last Week"=if(_time<relative_time(now(), "-1m@m"), 1, 0)
0 Karma

appache
Path Finder

No, when had (| chart avg(responseTime) AS one by application when) we get Current and Lastweek fields out of it. even if we separate "when" into current and lastweek it still gives o and 1 for both.
Now "When" is a field in interesting fields on our left. Instead of that i need Current and Lastweek as a fields
i am expecting as below
|chart avg(responseTime) AS one by application Current LastWeek

application Current LastWeek
1 values values
2 values values
3 values values

0 Karma

sundareshr
Legend

Sorry, I am missing something. Don't you get the desired output when you do (| chart avg(responseTime) AS one by application when

0 Karma

appache
Path Finder

When we do (| chart avg(responseTime) AS one by application when )
"when" populates two sub fields "Current" and "Lastweek"
instead of having sub fields in "when" is it possible to have "Current" and "Lastweek" as a separate fields like "when".

0 Karma

appache
Path Finder

even like the above example if we divide the field into two separate fields again we have two sub fields in Current and LastWeek. this doesnt work in ITSI. because we cant use any aggregations in ITSI except eventstats. Until unless we have Current and LastWeek as an separate fields intresting fields on our left hand side without having sub fields "0" and "1" i wont be able to use this query

0 Karma

sundareshr
Legend

Like this?

eval Current=if(_time>relative_time(now(), "-1m@m"), 1, null())  | eval "Last Week"=if(_time<relative_time(now(), "-1m@m"), 1, null())
0 Karma

sundareshr
Legend

Or like this

index=abc sourcetype=123 earliest=-1w@w1 
 | eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
 | eval responseTime=responseTime/1000 
 | stats avg(eval(if(when="Current", responseTime, null()) as Current avg(eval(if(when="Last Week", responseTime, null()) as "Last Week"
0 Karma

appache
Path Finder

Thankyou sundareshr, it did work, how do i specify latest time in the query to limit to only last week (august 14 -aug 21), now its taking till today. if iam adding latest=@w1 i am not able to get "current" field

0 Karma

sundareshr
Legend

If its only last week, what will you be comparing against?

0 Karma

appache
Path Finder

I apologize for not being clear appreciate your help, i need to compare avg(responsetime) of only last week (ex: monday - sunday), compare with avg(responsetime) of last min by application and calculate the variance(difference) of both avg_responsetime fields in percentage.
last week field should change be static through out the week and it should change only on every monday giving last monday to sunday avg_responsetime. and the current fields should be dynamic every min as well as variance%.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...