Splunk Search

How to edit my chart to show weekly baseline of average and compare it to the daily average?

Nick_Hippe
New Member

Hi all. I'm creating a dashboard for one of our systems, and am trying to create a chart that will show the previous 7 days average (baseline), and compare with the ongoing / current daily average. Reason for this would be to see if we're exceeding, or if there are spikes above the weekly average.

Based on the dashboard I'm creating, my search is a little goofy, since I'm piping in an inputlookup, as well as using transaction since there are multiple start/stop times for the entire transaction. So I'm using transaction to get my duration for each job.

Here's an example of my search:

index=blah [| inputlookup myInputLookup.csv | search environment=stage | fields host] | transaction job_guid keepevicted=true

The above will give me a detailed breakdown of start/stop times for my transactions / jobs, based on a guid. This tells me the entire processing time for my transactions. I'm getting my ongoing / current daily average by piping the following:

| timechart avg(duration) AS avg_sec | fillnull value=0

Running this for the day (our dashboard would display all data for current day, and refresh every minute), would show _time & avg_sec (not using span, just letting it timechart for the day automatically). There are gaps since the transactions are not occuring 24/7, which is why I'm filling null with 0.

So my question to you all is, how can I pull the previous 7 days average, into my ongoing / current daily average, in order to compare last 7 days average, with the current day average? Am I going about my averages all wrong? Appreciate the help folks!

0 Karma

maniishpawar
Path Finder
0 Karma

sundareshr
Legend

Try this approach

index=blah [| inputlookup myInputLookup.csv | search environment=stage | fields host]  earliest=-7d@d | stats earliest(_time) as start latest(_time) as end by job_guid | eval when=if(start>relative_time(now(), "@d"), "Today's Average", "Last Week Average") | eval duration=end-start | chart avg(duration) as duration over job_guid by when | foreach *Average [eval '<<FIELD>>'=tostring('<<FIELD>>', "duration")]
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...