Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare average of last 30 days to last 90 days in single search?

richnavis88
Explorer
‎09-09-2022 08:52 AM

I believe there is no report Splunk cannot produce, but I'm having trouble with this one. I'd like to generate a report that compares the last 30 days average duration with last 90 days average duration and shows the increase/decrease. I am having no troubles getting the last 90 day average, but I can't figure out how to include the last 30 day average in the same query... The data I'm working with is similar to this

date Job Duration
9/1/2022 Job1    33
9/1/2022 Job2   12
9/1/2022 Job3   128
9/2/2022 Job1   14
9/2/2022 Job2   99
9/2/2022 Job3   128
9/3/2022 Job1   16
9/3/2022 Job2   33
9/3/2022 Job3   22
9/4/2022 Job1  196
9/4/2022 Job2  393
9/4/2022 Job3 192

I'd like a report that looks like this.
 Job          All  Days    Last 2 Days
Job1        21                17
Job2       44                 35
Job3       28                 17

I can generate the ALL Days, but am not sure how to get the last 2 days.. Heres what I have.

search=foo
| bucket=_time span=1d
| stats sum(duration) as duration by time, jobtype
| stats avg(duration) as duration by jobtype

Any gurus out there that can help? 

 

Labels (1)
Labels
0 Karma
Reply

richnavis88
Explorer
‎09-10-2022 10:29 AM

eventstats doesn't support window parameter as far as I'm aware.  I've tried the streamstats parameter,  which does have a windows and start_window parameter, but can't seem to get it to provide the data I'm after

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-09-2022 12:52 PM

Have you try eventstats with window parameter?

0 Karma
Reply

richnavis88
Explorer
‎09-10-2022 10:35 AM

eventstats doesn't support the window parameter.  I tried streamstats with window and time_window, but I can't seem to get it to report correctly

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...