Splunk Search

YoY query for comparing two products together

johnsvakel
Observer

I am working on a tax product and we have products per tax year. Now I want to compare the performance of the tax products in a time chart and I did like below (This is in a splunk dashboard)

index=cls_prod_app appname=Lacerte applicationversion=$applicationversion$ message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d
| append [
search index=cls_prod_app appname=Lacerte applicationversion=2022 message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d
]
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0





$applicationversion$ is user input and it will be 2023 or 2024 like this string. 

1. I want to append a search if user type in 2023 then as 2022.  tostring(tonumber($applicationversion$)-) is not working for me somehow. toint tells me it is not a valid methd
2. I want to plot this in special way, for example, if I search 2023 for last 30 days, actual 2022 real performance should be of last year data. What I need is if select 2023, last 30 days today on Aug,08-2024 then I want to compare last 30 days of 2023 and last years (Aug08, 2023)'s last 30 days data in a time chart to see the real graph for any deviation. Is there any way to achieve this in splunk?

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think the approach should be adjusted.  When a user selects 2023, you can always make any value out of it, e.g., "2022, 2023".  Theoretically, you can even use a secondary token setter to calculate if the input is free text, not a selector.  Then, you search can simply be

index=cls_prod_app appname=Lacerte applicationversion IN ($applicationversion$) message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

Here is an example in Simple XML for input:

    <input type="dropdown" token="applicationversion">
      <label>Version</label>
      <choice value="2023,2024">2024</choice>
      <choice value="2022,2023">2023</choice>
]      <prefix> </prefix>
      <suffix> </suffix>
    </input>
0 Karma

johnsvakel
Observer

Thanks, But for me the problem is relative year data in chart I need. 
If I select 2023, Aug 12 for last 30 days, then in the chart I need two line

2023 data from Now to -30 days

2022 data from "now-1y" to -30 days  

 

Can we plot this in single time chart ?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If I select 2023, Aug 12 for last 30 days, then in the chart I need two line

2023 data from Now to -30 days

2022 data from "now-1y" to -30 days  

Can we plot this in single time chart ?



You need to very carefully state your use case (without using SPL).  Your sample code definitely does not suggest two time intervals.  Now that you need two time intervals, you also need to specify

  1. How do you "select 2023, Aug 12 for last 30 days?"  Do you use a time input? (I will assume yes.)
  2. Is this input independent of the other user selection of version, i.e., 2024 or 2023? (I will also assume yes.)

Without these specifics, your question is unanswerable.  You also should specify how the result should look like, and give some mock data, then illustrate some mock result.  SPL should be the last thing to illustrate; if you illustrate SPL that does not give you desired results, you should illustrate actual output from the code when applied to the exact illustrated dataset.

Anyway, my solution is the same: set up tokens to modify search terms.  As I mentioned, you can set up auxiliary tokens based on user selection.  In this example, I add two additional tokens $early_start$ and $early_end$ base on the time selector $interval$.  Your search term should be

index=cls_prod_app applicationversion IN ($applicationversion$)
  ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$))
  appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time
| timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

Here is a demo dashboard in Simple XML. (Token management in Dashboard Studio is different, but the same principle applies.)

<form version="1.1" theme="light">
  <label>Set token applicationversion</label>
  <description>https://community.splunk.com/t5/Splunk-Search/YoY-query-for-comparing-two-products-together/m-p/695943</description>
  <search>
    <query>
      | makeresults
    </query>
    <progress>
      <eval token="early_start">if(match($interval.earliest$, "-"), $interval.earliest$ . "-1y", relative_time($interval.earliest$, "-1y"))</eval>
      <eval token="early_end">case(match($interval.latest$, "-"), $interval.latest$ . "-1y", $interval.latest$ == "now", relative_time(now(), "-1y"), true(), relative_time($interval.latest$, "-1y"))</eval>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="applicationversion" searchWhenChanged="true">
      <label>Version</label>
      <choice value="2024,2023">2024</choice>
      <choice value="2023,2022">2023</choice>
      <initialValue>2024,2023</initialValue>
    </input>
    <input type="time" token="interval">
      <label></label>
      <default>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>(earliest = $interval.earliest$, latest = $interval.latest$) OR (earliest = $early_start$ latest = $early_end$) applicationversion IN ($applicationversion$)</title>
      <html>Your end search would be
        <pre>
index=cls_prod_app applicationversion IN ($applicationversion$)
  ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$))
  appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time
| timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0
        </pre>
      </html>
    </panel>
  </row>
</form>

Play with this dashboard.  If you select applicationvesion: 2023 and date range July 13, 2023 - August 12, 2023, your search will be rendered as

index=cls_prod_app applicationversion IN (2023,2022)
  ((earliest=1689231600 latest=1691910000) OR (earliest = 1691218800 latest = 1691834497))
  appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time
| timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

set-token.png

0 Karma

johnsvakel
Observer
  • Yes 
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=cls_prod_app appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
    [| makeresults
    | eval latest=relative_time(now(),"@d")
    | eval row=mvrange(0,2)
    | mvexpand row
    | eval latest=relative_time(latest,"@d-".row."y")
    | eval earliest=relative_time(latest,"-30d")
    | eval applicationversion=$applicationversion$-row 
    | table earliest latest applicationversion]
0 Karma

johnsvakel
Observer

This still gives me only one year results - 2023

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What does your job inspection say about the time period of your search?

0 Karma

johnsvakel
Observer

2023
earliestTime 2023-07-10T00:00:00.000-07:00
latestTime 2024-08-09T00:00:00.000-07:00
modifiedTime 2024-08-11T21:58:51.151-07:00

2022
latestTime 2024-08-09T00:00:00.000-07:00
modifiedTime 2024-08-11T21:58:51.151-07:00

I can see 2022 and 2023 searches, but somehow I am not able to figure out where it is going wrong.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try running the search in the search app and look at the job - here I have done a similar search but I don't have access to your data and my indexes don't hold any data as far back as a year so I have used the last hour and the same time the previous day

index=_audit 
    [| makeresults
    | eval latest=relative_time(now(),"@h")
    | eval row=mvrange(0,2)
    | mvexpand row
    | eval latest=relative_time(latest,"@h-".row."d")
    | eval earliest=relative_time(latest,"-1h")
    | table earliest latest]
| bin span=1h _time 
| stats count by _time

ITWhisperer_0-1723445702685.png

Go to Inspect Job

ITWhisperer_1-1723445815848.png

Then Job Details Dashboard and look at the Map Phase Search String

ITWhisperer_2-1723445936661.png

You should see the time periods being searched. They will be in epoch time so you can copy them into another search to show their formatted versions

ITWhisperer_3-1723446361793.png

Do yours correlate to the values you were expecting

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am confused by what you are actually asking for. Let's say today is 8th August 2024 and the user enters 2023 for application version, are you wanting to compare two time periods, each 30 days prior to 8th August, one for 2024 and the other for 2023. In those time periods, you want application version to be 2023 for the 2024 search and 2022 for the 2023 time period?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...