Splunk Search

How to create a stat table that has columns that represent the same time range per week.

New Member

I have this basic query and would like to create a stat table that shows the result for the last 3 weeks for the same datetime range.

ourcetype=iis tag=webserver csuristem="/SearchQuery*" |stats avg(TimeTakenMS) by csuristem

Thanks in advance!

Tags (3)
0 Karma

Motivator

Hello! Try this:

    sourcetype=iis tag=webserver cs_uri_stem="/SearchQuery*" earliest=-3w@w latest=now |bucket span=7d _time|stats avg(TimeTakenMS) by cs_uri_stem, _time
0 Karma

New Member

Hi Stephane I am actually aiming for a result that will look something like this:

cs_uri_stem           Week1   Week2   Week3
/SearchQuery1          123     122     110
/SearchQUery2          43       54     49

I am trying to tweak what you have given though it should be near enough.

Thank you so much.

0 Karma

Motivator

Here is what i can do for you. Instead of Week1, Week2, ... in your table, you can say, week of 10/April, week of 18/April......

Something like this:

  sourcetype=iis tag=webserver cs_uri_stem="/SearchQuery*" earliest=-3w@w latest=now |bucket span=7d _time| eval day_week=strftime(_time, "%d/%b")|replace * with "week of *" in day_week|stats avg(TimeTakenMS) by cs_uri_stem, day_week
0 Karma

Builder

Can you please share the expected output?

Thanks!!

0 Karma

New Member

Hi I am trying to get this output:

cs_uri_stem           Week1   Week2   Week3
/SearchQuery1          123     122     110
/SearchQUery2          43       54     49

where week columns are derived from the same daytime value per week.

TIA

0 Karma