Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Day of the Week table - current day vs Monthly avg
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_zen
Builder
06-20-2012
01:24 AM
I'm trying to get a table showing the current daily average vs the previous month average,
but I'm unsure I got the composed search right.
I've reverse engineered the following search starting from this one,
http://wiki.splunk.com/Community:Search_Report:_How_To_Create_a_Table_of_Day_of_Week_-_Monthly_Avera...
source=*SDP_term_causes.csv earliest=-4w@w latest=now
| bucket _time span=1d
| eval DayOfMonthN=strftime(_time, "%d")
| eval DayOfWeekC=strftime(_time, "%a")
| stats avg(SERVICE_ACCEPTED_INVOCATIONS) AS AvgAcceptInv by DayOfMonthN, DayOfWeekC
| append
[ search source=*SDP_term_causes.csv earliest=-2mon@mon latest=-1mon@mon
| bucket _time span=1d
| eval DayOfMonthN=strftime(_time, "%d")
| eval DayOfWeekC=strftime(_time, "%a")
| stats avg(SERVICE_ACCEPTED_INVOCATIONS) AS AvgAcceptInv_LastMonth by DayOfMonthN, DayOfWeekC ]
| stats first(DayOfWeekC) AS DayOfWeek, first(AvgAcceptInv) AS AvgAcceptInv_Month, first(AvgAcceptInv_LastMonth) AS AcceptInv_Avg_LastMonth by DayOfMonthN
| eval Diff=AvgAccepInv_Month-AccepInv_Avg_LastMonth
| fields DayOfMonthN, DayOfWeek, AvgAcceptInv_Month, AcceptInv_Avg_LastMonth, Diff
Can someone more experienced tell me if the search needs some correction?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
06-23-2012
07:51 PM
source=*SDP_term_causes.csv earliest=-30d@d latest=@d
| bucket _time span=1d
| eval DayOfMonthN=strftime(_time, "%d")
| eval DayOfWeek=strftime(_time, "%a")
| stats avg(SERVICE_ACCEPTED_INVOCATIONS) AS AvgAcceptInv by DayOfMonthN, DayOfWeek
| join type=outer DayOfMonthN
[ search source=*SDP_term_causes.csv earliest=-60d@d latest=-30d@d
| bucket _time span=1d
| eval DayOfMonthN=strftime(_time, "%d")
| stats avg(SERVICE_ACCEPTED_INVOCATIONS) AS AvgAcceptInv_LastMonth by DayOfMonthN
| fields DayOfMonthN AvgAcceptInv_LastMonth ]
| eval Diff=AvgAccepInv-AccepInv_Avg_LastMonth
| fields DayOfMonthN, DayOfWeek, AvgAcceptInv, AcceptInv_Avg_LastMonth, Diff
This is how I would do it, but it might not be that different....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_zen
Builder
06-28-2012
06:48 AM
Ended up using comparing the current daily data with a 2month day of week average,
source=*SDP_term_causes.csv earliest=-4w@w latest=@d
| bucket _time span=1d
| eval nMonthDay=strftime(_time, "%d")
| eval WeekDay=strftime(_time, "%a")
| stats avg(TIMEOUT) AS AvgTimeouts by nMonthDay, WeekDay
| join type=outer WeekDay
[ search source=*SDP_term_causes.csv earliest=-2mon@mon latest=-1w@w
| bucket _time span=1d
| eval WeekDay=strftime(_time, "%a")
| stats avg(TIMEOUT) AS WeekDay2MonAvg by WeekDay
| fields WeekDay WeekDay2MonAvg ]
| eval Diff=AvgTimeouts-WeekDay2MonAvg
| fields nMonthDay, WeekDay, AvgTimeouts, WeekDay2MonAvg, Diff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
06-23-2012
07:51 PM
source=*SDP_term_causes.csv earliest=-30d@d latest=@d
| bucket _time span=1d
| eval DayOfMonthN=strftime(_time, "%d")
| eval DayOfWeek=strftime(_time, "%a")
| stats avg(SERVICE_ACCEPTED_INVOCATIONS) AS AvgAcceptInv by DayOfMonthN, DayOfWeek
| join type=outer DayOfMonthN
[ search source=*SDP_term_causes.csv earliest=-60d@d latest=-30d@d
| bucket _time span=1d
| eval DayOfMonthN=strftime(_time, "%d")
| stats avg(SERVICE_ACCEPTED_INVOCATIONS) AS AvgAcceptInv_LastMonth by DayOfMonthN
| fields DayOfMonthN AvgAcceptInv_LastMonth ]
| eval Diff=AvgAccepInv-AccepInv_Avg_LastMonth
| fields DayOfMonthN, DayOfWeek, AvgAcceptInv, AcceptInv_Avg_LastMonth, Diff
This is how I would do it, but it might not be that different....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_zen
Builder
06-28-2012
06:46 AM
Thanks, ended up using the search in the following answer.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
