Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing performance data from last week to today, using lookup table??

danoconnl
Explorer
‎01-08-2017 08:59 AM

I have a report that returns
method Avg(timing) perc90(timing)
that I would like to create as a baseline each week.
index=some_index sourcetype=some_perf method="Oracle*" | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method

Then I would like to create an alert that runs say every half hour or hour that whenever the avg or per90 for a particular method deviates from the base by say 20% I would get a alert that we might have a problem in the database.

I was thinking I would create a report of last weeks results as a lookup table and then do comparisons between each, but I'm not sure how.

we have several customers that depend on the performance of our application and I'd like to be proactive if there is a sudden slowdown in the database

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-08-2017 10:45 AM

Try something like this

Search 1: Runs weekly and updates your lookup table to store weekly (last week I'm assuming) baseline of the average and perc90 of the timing field.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-1w@w latest=@w| stats avg(timing) as LastWeekAverage perc90(timing) as LastWeekPercentile90 by method
| outputlookup method_timing_baseline.csv

Cron: 55 00 * * 1 (every monday 00:55AM)

Now you can run your alert search reference this lookup to compare and alert.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-35m@m latest=-5m@m  | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method | lookup method_timing_baseline.csv method OUTPUT LastWeekAverage LastWeekPercentile90 | where Average >1.2*LastWeekAverage OR '90th Perc'>1.2*LastWeekPercentile90

Cron : 5,35 * * * * (every 30 mins on 5 and 35 minute of hour)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-08-2017 10:45 AM

Try something like this

Search 1: Runs weekly and updates your lookup table to store weekly (last week I'm assuming) baseline of the average and perc90 of the timing field.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-1w@w latest=@w| stats avg(timing) as LastWeekAverage perc90(timing) as LastWeekPercentile90 by method
| outputlookup method_timing_baseline.csv

Cron: 55 00 * * 1 (every monday 00:55AM)

Now you can run your alert search reference this lookup to compare and alert.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-35m@m latest=-5m@m  | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method | lookup method_timing_baseline.csv method OUTPUT LastWeekAverage LastWeekPercentile90 | where Average >1.2*LastWeekAverage OR '90th Perc'>1.2*LastWeekPercentile90

Cron : 5,35 * * * * (every 30 mins on 5 and 35 minute of hour)

0 Karma
Reply
Solved! Jump to solution

danoconnl
Explorer
‎01-08-2017 11:46 AM

exactly what I was looking for as a starting point, thanks alot

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-08-2017 09:34 AM

Is your search given here supposed to get Average and 90th Percentile for entire week or just last week same hour as current hour today?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

danoconnl
Explorer
‎01-08-2017 11:45 AM

my plan was to get the average for last week, because performance should be comparable within certain parameters +/- 10-or-20%. Really I'm looking for an alert when things have gone real bad and we'll start missing our SLAs

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...