How to compare today vs last week same hour stats ...

DougiieDee · ‎03-22-2023

I have this working query which needs some additional detailing.

index=_internal earliest=-1h@h latest=@h
| lookup api uri OUTPUT operation service
| rex "duration=(?<response_time>[^,]+)" | multikv | eval ReportKey="Today"
| append
[ search index=_internal earliest=-7d-1h@h latest=-7d@h
| lookup api uri OUTPUT operation service
| rex "duration=(?<response_time>[^,]+)" | multikv | eval ReportKey="lastweek" | eval _time=_time+604800]
| stats first(uri) as apiName avg(response_time) as avgresponse_time count by operationName ReportKey

Is there a way to get like this where it will compare all average response time and then give the percentile differences.

operation

uri

today_avg

(response_time)

lastweek_avg

(response_time)

% differrences

avg(response_time)

today

count

last week

count

abc

/api/abc

222

333

12312

42343

xyz

/api/xyz

867

4234

87978

67867

yeahnah · ‎03-22-2023

Hi @DougiieDee

This same question has also been asked and anwsered here

https://community.splunk.com/t5/Splunk-Search/How-to-compare-today-hourly-stats-and-previous-week-sa...

How to compare today vs last week same hour stats and give percentage?

chart

eval

fields

join

lookup

metadata

stats

table

timechart

transaction

tstats

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Are you a member of the Splunk Community?

How to compare today vs last week same hour stats and give percentage?