Solved: Compare responseTime field toady to last week with... - Page 2

appache · ‎08-27-2016

Hello, I have a problem comparing responseTime field last minute with last week (monday - sunday).
Below query give the results what i am seeking for, but append command limits to 50000 events, So avg(responseTime) is not accurate for the last week.

index=abc sourcetype=123
| eval responseTime1=responseTime/1000
| append [search index=abc earliest=-1w@w1 latest=@w1 sourcetype=123 | eval responseTime7=responseTime/1000 ]

| stats avg(responseTime1) AS one avg(responseTime7) AS two by application

I have tried many examples which i found in splunk answers but none of them are suitable for my requirement.

Can someone help me with this one?

Thank you very much in advance!...

sundareshr · ‎08-27-2016

Try this

index=abc sourcetype=123 earliest=-1w@w1 
| eval when=if(_time>relative_time(now(), "-1m@m", "Current", "Last Week")
| eval responseTime=responseTime/1000 
| chart avg(responseTime) AS one by application when

The relative_time function checks to see if time the event occured is greater than -1min from now, it considers it as current. You can adjust the -1m to whatever you need it to be.

View solution in original post

Compare responseTime field toady to last week without using append

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!