YoY query for comparing two products together

johnsvakel · ‎08-08-2024

I am working on a tax product and we have products per tax year. Now I want to compare the performance of the tax products in a time chart and I did like below (This is in a splunk dashboard)

index=cls_prod_app appname=Lacerte applicationversion=$applicationversion$ message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d
| append [
search index=cls_prod_app appname=Lacerte applicationversion=2022 message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d
]
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

$applicationversion$ is user input and it will be 2023 or 2024 like this string.

1. I want to append a search if user type in 2023 then as 2022. tostring(tonumber($applicationversion$)-) is not working for me somehow. toint tells me it is not a valid methd
2. I want to plot this in special way, for example, if I search 2023 for last 30 days, actual 2022 real performance should be of last year data. What I need is if select 2023, last 30 days today on Aug,08-2024 then I want to compare last 30 days of 2023 and last years (Aug08, 2023)'s last 30 days data in a time chart to see the real graph for any deviation. Is there any way to achieve this in splunk?

yuanliu · ‎08-11-2024

I think the approach should be adjusted. When a user selects 2023, you can always make any value out of it, e.g., "2022, 2023". Theoretically, you can even use a secondary token setter to calculate if the input is free text, not a selector. Then, you search can simply be

index=cls_prod_app appname=Lacerte applicationversion IN ($applicationversion$) message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

Here is an example in Simple XML for input:

    <input type="dropdown" token="applicationversion">
      <label>Version</label>
      <choice value="2023,2024">2024</choice>
      <choice value="2022,2023">2023</choice>
]      <prefix> </prefix>
      <suffix> </suffix>
    </input>

johnsvakel · ‎08-11-2024

Thanks, But for me the problem is relative year data in chart I need.
If I select 2023, Aug 12 for last 30 days, then in the chart I need two line

2023 data from Now to -30 days

2022 data from "now-1y" to -30 days

Can we plot this in single time chart ?

yuanliu · ‎08-12-2024

If I select 2023, Aug 12 for last 30 days, then in the chart I need two line
2023 data from Now to -30 days
2022 data from "now-1y" to -30 days
Can we plot this in single time chart ?

You need to very carefully state your use case (without using SPL). Your sample code definitely does not suggest two time intervals. Now that you need two time intervals, you also need to specify

How do you "select 2023, Aug 12 for last 30 days?" Do you use a time input? (I will assume yes.)
Is this input independent of the other user selection of version, i.e., 2024 or 2023? (I will also assume yes.)

Without these specifics, your question is unanswerable. You also should specify how the result should look like, and give some mock data, then illustrate some mock result. SPL should be the last thing to illustrate; if you illustrate SPL that does not give you desired results, you should illustrate actual output from the code when applied to the exact illustrated dataset.

Anyway, my solution is the same: set up tokens to modify search terms. As I mentioned, you can set up auxiliary tokens based on user selection. In this example, I add two additional tokens $early_start$ and $early_end$ base on the time selector $interval$. Your search term should be

index=cls_prod_app applicationversion IN ($applicationversion$)
  ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$))
  appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time
| timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

Here is a demo dashboard in Simple XML. (Token management in Dashboard Studio is different, but the same principle applies.)

<form version="1.1" theme="light">
  <label>Set token applicationversion</label>
  <description>https://community.splunk.com/t5/Splunk-Search/YoY-query-for-comparing-two-products-together/m-p/695943</description>
  <search>
    <query>
      | makeresults
    </query>
    <progress>
      <eval token="early_start">if(match($interval.earliest$, "-"), $interval.earliest$ . "-1y", relative_time($interval.earliest$, "-1y"))</eval>
      <eval token="early_end">case(match($interval.latest$, "-"), $interval.latest$ . "-1y", $interval.latest$ == "now", relative_time(now(), "-1y"), true(), relative_time($interval.latest$, "-1y"))</eval>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="applicationversion" searchWhenChanged="true">
      <label>Version</label>
      <choice value="2024,2023">2024</choice>
      <choice value="2023,2022">2023</choice>
      <initialValue>2024,2023</initialValue>
    </input>
    <input type="time" token="interval">
      <label></label>
      <default>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>(earliest = $interval.earliest$, latest = $interval.latest$) OR (earliest = $early_start$ latest = $early_end$) applicationversion IN ($applicationversion$)</title>
      <html>Your end search would be
        <pre>
index=cls_prod_app applicationversion IN ($applicationversion$)
  ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$))
  appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time
| timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0
        </pre>
      </html>
    </panel>
  </row>
</form>

Play with this dashboard. If you select applicationvesion: 2023 and date range July 13, 2023 - August 12, 2023, your search will be rendered as

index=cls_prod_app applicationversion IN (2023,2022)
  ((earliest=1689231600 latest=1691910000) OR (earliest = 1691218800 latest = 1691834497))
  appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
| eval totaltimeinsec = totaltime/1000
| bin span=1m _time
| timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0

johnsvakel · ‎08-08-2024

Yes

ITWhisperer · ‎08-08-2024

Try something like this

index=cls_prod_app appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$
    [| makeresults
    | eval latest=relative_time(now(),"@d")
    | eval row=mvrange(0,2)
    | mvexpand row
    | eval latest=relative_time(latest,"@d-".row."y")
    | eval earliest=relative_time(latest,"-30d")
    | eval applicationversion=$applicationversion$-row 
    | table earliest latest applicationversion]

johnsvakel · ‎08-08-2024

This still gives me only one year results - 2023

ITWhisperer · ‎08-08-2024

What does your job inspection say about the time period of your search?

johnsvakel · ‎08-11-2024

2023
earliestTime 2023-07-10T00:00:00.000-07:00
latestTime 2024-08-09T00:00:00.000-07:00
modifiedTime 2024-08-11T21:58:51.151-07:00

2022
latestTime 2024-08-09T00:00:00.000-07:00
modifiedTime 2024-08-11T21:58:51.151-07:00

I can see 2022 and 2023 searches, but somehow I am not able to figure out where it is going wrong.

ITWhisperer · ‎08-12-2024

Try running the search in the search app and look at the job - here I have done a similar search but I don't have access to your data and my indexes don't hold any data as far back as a year so I have used the last hour and the same time the previous day

index=_audit 
    [| makeresults
    | eval latest=relative_time(now(),"@h")
    | eval row=mvrange(0,2)
    | mvexpand row
    | eval latest=relative_time(latest,"@h-".row."d")
    | eval earliest=relative_time(latest,"-1h")
    | table earliest latest]
| bin span=1h _time 
| stats count by _time

Go to Inspect Job

Then Job Details Dashboard and look at the Map Phase Search String

You should see the time periods being searched. They will be in epoch time so you can copy them into another search to show their formatted versions

Do yours correlate to the values you were expecting

ITWhisperer · ‎08-08-2024

I am confused by what you are actually asking for. Let's say today is 8th August 2024 and the user enters 2023 for application version, are you wanting to compare two time periods, each 30 days prior to 8th August, one for 2024 and the other for 2023. In those time periods, you want application version to be 2023 for the 2024 search and 2022 for the 2023 time period?

YoY query for comparing two products together

subsearch

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...