Re: compare today vs last week same hour stats and...

DougiieDee · ‎03-22-2023

I have this working query which needs some additional detailing.

index=_internal earliest=-1h@h latest=@h
| lookup api uri OUTPUT operation service
| rex "duration=(?<response_time>[^,]+)" | multikv | eval ReportKey="Today"
| append
[ search index=_internal earliest=-7d-1h@h latest=-7d@h
| lookup api uri OUTPUT operation service
| rex "duration=(?<response_time>[^,]+)" | multikv | eval ReportKey="lastweek" | eval _time=_time+604800]
| stats first(uri) as apiName avg(response_time) as avgresponse_time count by operationName ReportKey

Is there a way to get like this where it will compare all average response time and then give the percentile differences.

operation

uri

today_avg

(response_time)

lastweek_avg

(response_time)

% differrences

avg(response_time)

today

count

last week

count

abc

/api/abc

222

333

12312

42343

xyz

/api/xyz

867

4234

87978

67867

yeahnah · ‎03-22-2023

Hi @DougiieDee

This same question has also been asked and anwsered here

https://community.splunk.com/t5/Splunk-Search/How-to-compare-today-hourly-stats-and-previous-week-sa...

How to compare today vs last week same hour stats and give percentage?

chart

eval

fields

join

lookup

metadata

stats

table

timechart

transaction

tstats

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

How to compare today vs last week same hour stats and give percentage?