I have the following query to capture the application response time, and put it in summary index
source=iislog app="abc" | sistats avg(time_taken) count by source
index=summary search_name="capture app response time" | timechart span=1d avg(time_taken) by orig_source.
I would like to create a report that i can compare the response time for this week, last week and 4 weeks ago in the same report. How can i do that?
Thanks in advance.
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
... | timechart count span=1h | timewrap w
That's it!
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
... | timechart count span=1h | timewrap w
That's it!
The easiest way to do this is by bucketing your _time field and then charting over it. Try this
index=summary search_name="capture app response time" | bucket _time span=1w | chart avg(time_taken) over _time by orig_source
This should produce a nice table with weekly averages. Run this over a month period and it should show what you are looking for.