How to compare today vs last week same hour stats ...

DougiieDee · ‎03-22-2023

I have this working query which needs some additional detailing.

index=_internal earliest=-1h@h latest=@h
| lookup api uri OUTPUT operation service
| rex "duration=(?<response_time>[^,]+)" | multikv | eval ReportKey="Today"
| append
[ search index=_internal earliest=-7d-1h@h latest=-7d@h
| lookup api uri OUTPUT operation service
| rex "duration=(?<response_time>[^,]+)" | multikv | eval ReportKey="lastweek" | eval _time=_time+604800]
| stats first(uri) as apiName avg(response_time) as avgresponse_time count by operationName ReportKey

Is there a way to get like this where it will compare all average response time and then give the percentile differences.

operation

uri

today_avg

(response_time)

lastweek_avg

(response_time)

% differrences

avg(response_time)

today

count

last week

count

abc

/api/abc

222

333

12312

42343

xyz

/api/xyz

867

4234

87978

67867

yeahnah · ‎03-22-2023

Hi @DougiieDee

This same question has also been asked and anwsered here

https://community.splunk.com/t5/Splunk-Search/How-to-compare-today-hourly-stats-and-previous-week-sa...

How to compare today vs last week same hour stats and give percentage?

chart

eval

fields

join

lookup

metadata

stats

table

timechart

transaction

tstats

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All