Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to plot a delta timechart of average response ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
03-18-2017
02:08 AM
I have data like:
timestamp, serviceName, responseTime(in ms)
I want to plot the per minute delta of avg. responseTime (difference between avg responseTime yesterday vs today) by serviceName. Average is taken every minute. I want to observe only half an hour window.
Sample data:
03/17/2017 00:00:01 service1 242
03/17/2017 00:00:02 service2 300
03/17/2017 00:00:03 service3 350
03/17/2017 00:00:04 service1 280
03/17/2017 00:00:05 service2 290
03/17/2017 00:00:06 service3 300
:
:
03/18/2017 00:00:01 service1 1242
03/18/2017 00:00:02 service2 1300
03/18/2017 00:00:03 service3 1350
03/18/2017 00:00:04 service1 1280
03/18/2017 00:00:05 service2 1290
03/18/2017 00:00:06 service3 1300
Now,
- The avg(ResponseTime) of service1 for 03/17/2017 00:00 is (242+280)/2 = 261ms
- The avg(ResponseTime) of service1 for 03/18/2017 00:00 is (1242+1280)/2 = 1261ms
- Hence the delta avg(RespTime) for service 1 at 00:00 between yesterday and today is 1261-261 = 1000ms. It might also be negative 1000 if it was 1261 yesterday and 261 today.
I want to plot this delta by service name on a timechart for a window of last 30 minutes from now only. Please assist.
NOTE
- Services are more than three
- One service might get called mote than other service within a minute. So service1 might get called multiple times within a minute while chances are service2 might not be called at all within that minute.
- There is no sequence in which services are called (sample data makes it look like service1, 2 and 3 are in sequence)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-18-2017
09:06 AM
Here is a run anywhere example (you will swap your base search and host for service and 1h for 1m😞
index=_introspection sourcetype=splunk_resource_usage
| timechart span=1h avg(data.reads_kb_ps) AS HourlyAvgResponseTime BY host
| untable _time host HourlyAvgResponseTime
| eval hourmin=strftime(_time, "%H:%M")
| reverse
| streamstats current=f last(HourlyAvgResponseTime) AS prevHourlyAvgResponseTime BY hourmin host
| reverse
| eval delta=HourlyAvgResponseTime-prevHourlyAvgResponseTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-18-2017
09:06 AM
Here is a run anywhere example (you will swap your base search and host for service and 1h for 1m😞
index=_introspection sourcetype=splunk_resource_usage
| timechart span=1h avg(data.reads_kb_ps) AS HourlyAvgResponseTime BY host
| untable _time host HourlyAvgResponseTime
| eval hourmin=strftime(_time, "%H:%M")
| reverse
| streamstats current=f last(HourlyAvgResponseTime) AS prevHourlyAvgResponseTime BY hourmin host
| reverse
| eval delta=HourlyAvgResponseTime-prevHourlyAvgResponseTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
03-18-2017
02:32 AM
Hi gokadroid,
see timewrap command (http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Timewrap)
your_search
| timechart avg(responsetime) AS responsetime count span=min
| timewrap 1d align=now
| sort -_time
| head 30
| eval diff=responsetime_latest_day-responsetime_1day_before
| table _time responsetime_latest_day responsetime_1day_before diff
| rename responsetime_latest_day AS Today responsetime_1day_before AS Yesterday diff AS Difference
Using 2 days as time period
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
03-18-2017
02:39 AM
Thanks for the quick response but can you please provide computing the delta part of it?
Get Updates on the Splunk Community!
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
