Splunk Search

How to edit my chart to show weekly baseline of average and compare it to the daily average?

Nick_Hippe
New Member

Hi all. I'm creating a dashboard for one of our systems, and am trying to create a chart that will show the previous 7 days average (baseline), and compare with the ongoing / current daily average. Reason for this would be to see if we're exceeding, or if there are spikes above the weekly average.

Based on the dashboard I'm creating, my search is a little goofy, since I'm piping in an inputlookup, as well as using transaction since there are multiple start/stop times for the entire transaction. So I'm using transaction to get my duration for each job.

Here's an example of my search:

index=blah [| inputlookup myInputLookup.csv | search environment=stage | fields host] | transaction job_guid keepevicted=true

The above will give me a detailed breakdown of start/stop times for my transactions / jobs, based on a guid. This tells me the entire processing time for my transactions. I'm getting my ongoing / current daily average by piping the following:

| timechart avg(duration) AS avg_sec | fillnull value=0

Running this for the day (our dashboard would display all data for current day, and refresh every minute), would show _time & avg_sec (not using span, just letting it timechart for the day automatically). There are gaps since the transactions are not occuring 24/7, which is why I'm filling null with 0.

So my question to you all is, how can I pull the previous 7 days average, into my ongoing / current daily average, in order to compare last 7 days average, with the current day average? Am I going about my averages all wrong? Appreciate the help folks!

0 Karma

maniishpawar
Path Finder
0 Karma

sundareshr
Legend

Try this approach

index=blah [| inputlookup myInputLookup.csv | search environment=stage | fields host]  earliest=-7d@d | stats earliest(_time) as start latest(_time) as end by job_guid | eval when=if(start>relative_time(now(), "@d"), "Today's Average", "Last Week Average") | eval duration=end-start | chart avg(duration) as duration over job_guid by when | foreach *Average [eval '<<FIELD>>'=tostring('<<FIELD>>', "duration")]
0 Karma
Get Updates on the Splunk Community!

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...