Splunk Search

Compare responseTime field toady to last week without using append

appache
Path Finder

Hello, I have a problem comparing responseTime field last minute with last week (monday - sunday).
Below query give the results what i am seeking for, but append command limits to 50000 events, So avg(responseTime) is not accurate for the last week.

index=abc sourcetype=123
| eval responseTime1=responseTime/1000
| append [search index=abc earliest=-1w@w1 latest=@w1 sourcetype=123 | eval responseTime7=responseTime/1000 ]

| stats avg(responseTime1) AS one avg(responseTime7) AS two by application

I have tried many examples which i found in splunk answers but none of them are suitable for my requirement.

Can someone help me with this one?

Thank you very much in advance!...

0 Karma
1 Solution

sundareshr
Legend

Try this

index=abc sourcetype=123 earliest=-1w@w1 
| eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
| eval responseTime=responseTime/1000 
| chart avg(responseTime) AS one by application when

The relative_time function checks to see if time the event occured is greater than -1min from now, it considers it as current. You can adjust the -1m to whatever you need it to be.

View solution in original post

0 Karma

sundareshr
Legend

See of this gives you some ideas

index=abc sourcetype=123 earliest=-1w@w1 
  | eval when=case(_time>relative_time(now(), "-1m@m"), "Current", _time>relative_time(now(), "-1w@w1") AND _time<relative_time(now(), "-1w@w6"), "Last Week", 1=1, "Somewhere in between")
  | eval responseTime=responseTime/1000 
  | stats avg(eval(if(when="Current", responseTime, null()) as Current avg(eval(if(when="Last Week", responseTime, null()) as "Last Week"
0 Karma

sundareshr
Legend

Try this

index=abc sourcetype=123 earliest=-1w@w1 
| eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
| eval responseTime=responseTime/1000 
| chart avg(responseTime) AS one by application when

The relative_time function checks to see if time the event occured is greater than -1min from now, it considers it as current. You can adjust the -1m to whatever you need it to be.

0 Karma

appache
Path Finder

Thankyou so much sundareshr, your query did helped me out appreciate your quick response. i need to have this query in ITSI in ITSI i need to specify threshold field "Current" and "Last week" as kpi to monitor real time.
is there a way i could divide the field "when" into two separate fields "Current" and Last week".

0 Karma

sundareshr
Legend

You mean something like this?

eval Current=if(_time>relative_time(now(), "-1m@m"), 1, 0)  | eval "Last Week"=if(_time<relative_time(now(), "-1m@m"), 1, 0)
0 Karma

appache
Path Finder

No, when had (| chart avg(responseTime) AS one by application when) we get Current and Lastweek fields out of it. even if we separate "when" into current and lastweek it still gives o and 1 for both.
Now "When" is a field in interesting fields on our left. Instead of that i need Current and Lastweek as a fields
i am expecting as below
|chart avg(responseTime) AS one by application Current LastWeek

application Current LastWeek
1 values values
2 values values
3 values values

0 Karma

sundareshr
Legend

Sorry, I am missing something. Don't you get the desired output when you do (| chart avg(responseTime) AS one by application when

0 Karma

appache
Path Finder

When we do (| chart avg(responseTime) AS one by application when )
"when" populates two sub fields "Current" and "Lastweek"
instead of having sub fields in "when" is it possible to have "Current" and "Lastweek" as a separate fields like "when".

0 Karma

appache
Path Finder

even like the above example if we divide the field into two separate fields again we have two sub fields in Current and LastWeek. this doesnt work in ITSI. because we cant use any aggregations in ITSI except eventstats. Until unless we have Current and LastWeek as an separate fields intresting fields on our left hand side without having sub fields "0" and "1" i wont be able to use this query

0 Karma

sundareshr
Legend

Like this?

eval Current=if(_time>relative_time(now(), "-1m@m"), 1, null())  | eval "Last Week"=if(_time<relative_time(now(), "-1m@m"), 1, null())
0 Karma

sundareshr
Legend

Or like this

index=abc sourcetype=123 earliest=-1w@w1 
 | eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
 | eval responseTime=responseTime/1000 
 | stats avg(eval(if(when="Current", responseTime, null()) as Current avg(eval(if(when="Last Week", responseTime, null()) as "Last Week"
0 Karma

appache
Path Finder

Thankyou sundareshr, it did work, how do i specify latest time in the query to limit to only last week (august 14 -aug 21), now its taking till today. if iam adding latest=@w1 i am not able to get "current" field

0 Karma

sundareshr
Legend

If its only last week, what will you be comparing against?

0 Karma

appache
Path Finder

I apologize for not being clear appreciate your help, i need to compare avg(responsetime) of only last week (ex: monday - sunday), compare with avg(responsetime) of last min by application and calculate the variance(difference) of both avg_responsetime fields in percentage.
last week field should change be static through out the week and it should change only on every monday giving last monday to sunday avg_responsetime. and the current fields should be dynamic every min as well as variance%.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...