How can I compare latest stats with older metrics ...

kapliars · ‎02-01-2016

Hi!

I have application metrics in a log, and every 10 minutes, I'm printing all app perf stats. It looks like ():

2016-01-30 00:00:00.000 [metrics] name=readDatabase min=0.001 mean=0.005 p99=0.013 
2016-01-30 00:00:00.000 [metrics] name=writeDatabase min=0.003 mean=0.025 p99=0.442 
2016-01-30 00:00:00.000 [metrics] name=readCache min=0.0001 mean=0.0002 p99=0.001 
2016-01-30 00:00:00.000 [metrics] name=writeCache min=0.001 mean=0.005 p99=0.013

Actually, there's much more metrics and much more stats for each them: all percentiles, error rates, etc.

I would like to turn it into a table, where metrics would be rows and stats would be columns, and I would like to have different aggregation for comparison, like compare last print out with average for the last 24h:

| name         | mean_last | p50_last | mean_avg24h | p50_avg24h |
| readDatabase | 0.005     | 0.001    | 0.03        | 0.02       | 
| writeDatabase| 0.010     | 0.005    | 0.015       | 0.020      |

Is it possible?

somesoni2 · ‎02-01-2016

Try something like this

your base search | table _time name min mean p99 | stats latest(*) as *_last by name  | append [search your base search | table _time name min mean p99 | stats avg(*) as *_avg24h by name ] | stats values(*) as * by name

How can I compare latest stats with older metrics in a table?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How can I compare latest stats with older metrics in a table?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES