Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare average of last 30 days to last 90 days in single search?

richnavis88
Explorer
‎09-09-2022 08:52 AM

I believe there is no report Splunk cannot produce, but I'm having trouble with this one. I'd like to generate a report that compares the last 30 days average duration with last 90 days average duration and shows the increase/decrease. I am having no troubles getting the last 90 day average, but I can't figure out how to include the last 30 day average in the same query... The data I'm working with is similar to this

date Job Duration
9/1/2022 Job1    33
9/1/2022 Job2   12
9/1/2022 Job3   128
9/2/2022 Job1   14
9/2/2022 Job2   99
9/2/2022 Job3   128
9/3/2022 Job1   16
9/3/2022 Job2   33
9/3/2022 Job3   22
9/4/2022 Job1  196
9/4/2022 Job2  393
9/4/2022 Job3 192

I'd like a report that looks like this.
 Job          All  Days    Last 2 Days
Job1        21                17
Job2       44                 35
Job3       28                 17

I can generate the ALL Days, but am not sure how to get the last 2 days.. Heres what I have.

search=foo
| bucket=_time span=1d
| stats sum(duration) as duration by time, jobtype
| stats avg(duration) as duration by jobtype

Any gurus out there that can help? 

 

Labels (1)
Labels
0 Karma
Reply

richnavis88
Explorer
‎09-10-2022 10:29 AM

eventstats doesn't support window parameter as far as I'm aware.  I've tried the streamstats parameter,  which does have a windows and start_window parameter, but can't seem to get it to provide the data I'm after

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-09-2022 12:52 PM

Have you try eventstats with window parameter?

0 Karma
Reply

richnavis88
Explorer
‎09-10-2022 10:35 AM

eventstats doesn't support the window parameter.  I tried streamstats with window and time_window, but I can't seem to get it to report correctly

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...