index = abc earliest=-70m@m latest=@m| stats avg(AVERAGE_RESPONSE_TIME) as Today by Time Application_Name |eval Today= round(Today,2) |appendcols [search index = abc earliest=-7d@m-70m latest=-7d@m |stats avg(AVERAGE_RESPONSE_TIME) as LastWeek by Time Application_Name |eval LastWeek= round(LastWeek,2)|eval _time=relative_time(now(),"-7d")]|lookup RESP_LOOKUP_App Application_Name as Application_Name OUTPUTNEW RESP_DEVIATION_THRESHOLD | eval AVG_RESPONSE_Deviation=(Today/LastWeek)*100|table Time Application_Name Today LastWeek AVG_RESPONSE_Deviation RESP_DEVIATION_THRESHOLD | where AVG_RESPONSE_Deviation>RESP_DEVIATION_THRESHOLD
My Aim is to compare the Avg value for a Particular Application_Name for today with the last week for any particular timing.
E.g Today For a particular time "t" for a particular Application_Name "x" . I am calculating the Average of "AVERAGE_RESPONSE_TIME" field mentioned in the logs. When I am trying to find the average of AVERAGE_RESPONSE_TIME field for the application named "x", for the particular time "t" in the last week, it is not showing the correct value. I guess it is considering another Application_Name and showing the Average of Average_Response_Time for other application_names for that time.
Please help to modify the query
... View more