Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare average between two non-adjacent time periods?

BenTreeser
Explorer
‎08-31-2022 07:18 AM

Hello,

what' the best way to compare averages between two non-adjacent time periods. I have bunch of api call events with response_time field. I need a dashboard, where I can see the performance difference between last month and current month.

If I try the following, somehow the averages are blank in dashboard, but click on the enlarging glass of the tile, I get a a search query with values. What am I missing?

Is there an even more efficient and faster way?

 

 

<form>
  <label>API Performance</label>
  <search id="multisearch">
    <query>| multisearch 
	[ search earliest=$periodBeforeTok.earliest$ latest=$periodBeforeTok.latest$  index=A my_search_query response_time=*
		| eval response_time_before=response_time
		| fields api_request response_time_before
		| eval timeSlot="1"  ]
	 [search earliest=$periodAfterTok.earliest$ latest=$periodAfterTok.latest$ index=A my_search_query
		| eval response_time_after=response_time
		| fields api_request response_time_after
		| eval timeSlot="2" ]
	</query>
  </search>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="periodBeforeTok">
      <label>Before Time Period</label>
      <default>
        <earliest>1658707200</earliest>
        <latest>1659312000</latest>
      </default>
    </input>
    <input type="time" token="periodAfterTok">
      <label>After Time Period</label>
      <default>
        <earliest>1659312000</earliest>
        <latest>1659916800</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Query Stats</title>
        <search base="multisearch">
          <query>| stats  count as totalCount, count(eval(timeSlot=1)) as totalCountBefore, count(eval(timeSlot=2)) as totalCountAfter, avg(response_time_before) as response_time_before, avg(response_time_after) as response_time_after by api_request
	| eval response_time_before=round(response_time_before/1000,3)
	| eval response_time_after=round(response_time_after/1000,3)
	| eval delta_response_time=response_time_after-response_time_before
	| table api_request totalCountBefore totalCountAfter response_time_before response_time_after delta_response_time</query>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2022 11:08 AM

Is this just a typo? Your multisearch has fields api_api_request whereas your stats has api_request

0 Karma
Reply

BenTreeser
Explorer
‎08-31-2022 11:25 PM

ouh yeah, you are right. That was a typo. I've fixed the type now. The questions stays the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...