Hi splunkers, I came across a situation where
1) I have to find out transactions that are taking 20% more time than average transaction time of previous year.
2) compare the transactions with same TXN_NAME in the current year and the previous year.
Current year log : 28/02/2013 12:31:15 TXN_NAME=JOB8607J TXN_ID=8483D START-TIME=28/02/2013 12:31:15 END-TIME=28/02/2013 12:35:17 TXN-TIME=4.03 CPU-TIME=2.25
last year log : 2/07/2012 2:31:19 TXN_NAME=JOB8607J TXN_ID=8102D START-TIME=2/07/2013 2:31:19 END-TIME=2/07/2012 2:35:17 TXN-TIME=4.02 CPU-TIME=1.3
You could first compute the average per TXN_NAME from the previous year and save it in a lookup table Splunk Docs and second search in current data, add the average from last year to your results, and compare the runtime to 1.2*average.
You could first compute the average per TXN_NAME from the previous year and save it in a lookup table Splunk Docs and second search in current data, add the average from last year to your results, and compare the runtime to 1.2*average.