How to compare average of last 30 days to last 90 ...

richnavis88 · ‎09-09-2022

I believe there is no report Splunk cannot produce, but I'm having trouble with this one. I'd like to generate a report that compares the last 30 days average duration with last 90 days average duration and shows the increase/decrease. I am having no troubles getting the last 90 day average, but I can't figure out how to include the last 30 day average in the same query... The data I'm working with is similar to this

date Job Duration
9/1/2022 Job1 33
9/1/2022 Job2 12
9/1/2022 Job3 128
9/2/2022 Job1 14
9/2/2022 Job2 99
9/2/2022 Job3 128
9/3/2022 Job1 16
9/3/2022 Job2 33
9/3/2022 Job3 22
9/4/2022 Job1 196
9/4/2022 Job2 393
9/4/2022 Job3 192

I'd like a report that looks like this.
Job All Days Last 2 Days
Job1 21 17
Job2 44 35
Job3 28 17

I can generate the ALL Days, but am not sure how to get the last 2 days.. Heres what I have.

search=foo
| bucket=_time span=1d
| stats sum(duration) as duration by time, jobtype
| stats avg(duration) as duration by jobtype

Any gurus out there that can help?

richnavis88 · ‎09-10-2022

eventstats doesn't support window parameter as far as I'm aware. I've tried the streamstats parameter, which does have a windows and start_window parameter, but can't seem to get it to provide the data I'm after

isoutamo · ‎09-09-2022

Have you try eventstats with window parameter?

richnavis88 · ‎09-10-2022

eventstats doesn't support the window parameter. I tried streamstats with window and time_window, but I can't seem to get it to report correctly

How to compare average of last 30 days to last 90 days in single search?

stats

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1