Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing performance data from last week to today, using lookup table??

danoconnl
Explorer
‎01-08-2017 08:59 AM

I have a report that returns
method Avg(timing) perc90(timing)
that I would like to create as a baseline each week.
index=some_index sourcetype=some_perf method="Oracle*" | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method

Then I would like to create an alert that runs say every half hour or hour that whenever the avg or per90 for a particular method deviates from the base by say 20% I would get a alert that we might have a problem in the database.

I was thinking I would create a report of last weeks results as a lookup table and then do comparisons between each, but I'm not sure how.

we have several customers that depend on the performance of our application and I'd like to be proactive if there is a sudden slowdown in the database

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-08-2017 10:45 AM

Try something like this

Search 1: Runs weekly and updates your lookup table to store weekly (last week I'm assuming) baseline of the average and perc90 of the timing field.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-1w@w latest=@w| stats avg(timing) as LastWeekAverage perc90(timing) as LastWeekPercentile90 by method
| outputlookup method_timing_baseline.csv

Cron: 55 00 * * 1 (every monday 00:55AM)

Now you can run your alert search reference this lookup to compare and alert.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-35m@m latest=-5m@m  | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method | lookup method_timing_baseline.csv method OUTPUT LastWeekAverage LastWeekPercentile90 | where Average >1.2*LastWeekAverage OR '90th Perc'>1.2*LastWeekPercentile90

Cron : 5,35 * * * * (every 30 mins on 5 and 35 minute of hour)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-08-2017 10:45 AM

Try something like this

Search 1: Runs weekly and updates your lookup table to store weekly (last week I'm assuming) baseline of the average and perc90 of the timing field.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-1w@w latest=@w| stats avg(timing) as LastWeekAverage perc90(timing) as LastWeekPercentile90 by method
| outputlookup method_timing_baseline.csv

Cron: 55 00 * * 1 (every monday 00:55AM)

Now you can run your alert search reference this lookup to compare and alert.

index=some_index sourcetype=some_perf method="Oracle*" earliest=-35m@m latest=-5m@m  | stats avg(timing) as Average perc90(timing) as "90th Perc" perc95(timing) as "95th Perc" max(timing) as MAX count by method | lookup method_timing_baseline.csv method OUTPUT LastWeekAverage LastWeekPercentile90 | where Average >1.2*LastWeekAverage OR '90th Perc'>1.2*LastWeekPercentile90

Cron : 5,35 * * * * (every 30 mins on 5 and 35 minute of hour)

0 Karma
Reply
Solved! Jump to solution

danoconnl
Explorer
‎01-08-2017 11:46 AM

exactly what I was looking for as a starting point, thanks alot

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-08-2017 09:34 AM

Is your search given here supposed to get Average and 90th Percentile for entire week or just last week same hour as current hour today?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

danoconnl
Explorer
‎01-08-2017 11:45 AM

my plan was to get the average for last week, because performance should be comparable within certain parameters +/- 10-or-20%. Really I'm looking for an alert when things have gone real bad and we'll start missing our SLAs

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...