I have data like:
timestamp, serviceName, responseTime(in ms)
I want to plot the
per minute delta of avg. responseTime (difference between avg responseTime yesterday vs today) by serviceName. Average is taken every minute. I want to observe only half an hour window.
03/17/2017 00:00:01 service1 242 03/17/2017 00:00:02 service2 300 03/17/2017 00:00:03 service3 350 03/17/2017 00:00:04 service1 280 03/17/2017 00:00:05 service2 290 03/17/2017 00:00:06 service3 300 : : 03/18/2017 00:00:01 service1 1242 03/18/2017 00:00:02 service2 1300 03/18/2017 00:00:03 service3 1350 03/18/2017 00:00:04 service1 1280 03/18/2017 00:00:05 service2 1290 03/18/2017 00:00:06 service3 1300
- The avg(ResponseTime) of service1 for 03/17/2017 00:00 is (242+280)/2 = 261ms - The avg(ResponseTime) of service1 for 03/18/2017 00:00 is (1242+1280)/2 = 1261ms - Hence the delta avg(RespTime) for service 1 at 00:00 between yesterday and today is 1261-261 = 1000ms. It might also be negative 1000 if it was 1261 yesterday and 261 today.
I want to plot this delta by service name on a timechart for a window of last 30 minutes from now only. Please assist.
- Services are more than three - One service might get called mote than other service within a minute. So service1 might get called multiple times within a minute while chances are service2 might not be called at all within that minute. - There is no sequence in which services are called (sample data makes it look like service1, 2 and 3 are in sequence)
see timewrap command (http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Timewrap)
your_search | timechart avg(responsetime) AS responsetime count span=min | timewrap 1d align=now | sort -_time | head 30 | eval diff=responsetime_latest_day-responsetime_1day_before | table _time responsetime_latest_day responsetime_1day_before diff | rename responsetime_latest_day AS Today responsetime_1day_before AS Yesterday diff AS Difference
Using 2 days as time period
Here is a run anywhere example (you will swap your base search and
index=_introspection sourcetype=splunk_resource_usage | timechart span=1h avg(data.reads_kb_ps) AS HourlyAvgResponseTime BY host | untable _time host HourlyAvgResponseTime | eval hourmin=strftime(_time, "%H:%M") | reverse | streamstats current=f last(HourlyAvgResponseTime) AS prevHourlyAvgResponseTime BY hourmin host | reverse | eval delta=HourlyAvgResponseTime-prevHourlyAvgResponseTime