Dashboards & Visualizations

compare past 2 week's data in a single graph with changeable timerange [with time picker]

pjtbasu
Explorer

Hi,

I've a dashboard to measure service performance of pasr week ( Monday-Sunday) and I run it on every Monday. Dashboard has a timepicker to select the dates from Past week's Monday to Sunday. Please find one example query and the output.

There's a new requirement to add same metrices(avergae response, p99 response and volume) of past to past week. Goal is to have a comperative data of these 3 metrices between past 2 weeks.

Just to mention, I've 50 such service, presentin the dashboard. So it's already taking lots of time. So is it doable without making the query too complex ?

index=indexname servicename1 "completed in" | rex field=MSG ".*completed in\s(?[^\s]+)"| dedup sessionid| timechart perc90(ResponseTime),eval(round(avg(ResponseTime),0)) as avg(ResponseTime),count(ResponseTime) as "Total Volume"

alt text

Tags (1)
0 Karma

valiquet
Contributor

timewrap function is quite useful. Like DalJeanis said, it could be resource consuming.

index=indexname servicename1 "completed in" 
| rex field=MSG ".*completed in\s(?[^\s]+)" | dedup sessionid
| timechart span=5m perc90(ResponseTime),eval(round(avg(ResponseTime),0)) as avg(ResponseTime),count(ResponseTime) as "Total Volume" limit=0
| timewrap 1d series=exact
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

1) This is a great use case for a summary index. There is no reason to chew up this data over and over again. However, we're going to pretend you don't have the access to do that and work with what you have.

2) If you have 50 panels on the same page that are all building similar data, then the best way would be to have a single base search pulling the data and aggregating it, then have the individual panels displaying their own chunk of the data. In that way, you have exactly one thing to change for each panel: the value in the servicename token.

3) Unfortunately, timechart is finnicky about doing more than 10 of anything, so the WAY you aggregate it is going to matter. We're going to assume you never need to get below one hour of resolution, so we're going to create the data at that level. If you wanted to accurately go below and/or above that level, then you'd have to preserve the sum of the response times as well as the count.

Your base search is going to look something like this...

index=indexname "completed in" 
| fields sessionid  ... plus whatever you need for ServiceName ...
| rex field=MSG "completed in\s(?<ResponseTime>[^\s]+)"
| dedup sessionid
| .... code to set your ServiceName here ....
| bin _time span=1h
| stats perc90(ResponseTime) as p90resp,
    avg(ResponseTime) as avgresp,
    count(ResponseTime) as volume
    by _time ServiceName

| rename COMMENT as "move all dates forward into the last week then format the week date label"
| eval weekdate = relative_time(_time,"@w")
| eventstats max(weekdate) as maxweek
| eval _time=_time-weekdate+maxweek
| eval weekdate = strftime(weekdate,"Week %Y-%m-%d") 

You could also format the week data label something like this...

| eval weekno=floor((maxweek-weekdate)/604800)
| eval weekdate = if(weekno<1,"Current Week", weekno=1, "Prior Week",  true(), tostring(weekno)." Weeks Prior")

Then the individual searches will look like this...

... from base search...
| where servicename = $ServiceNameTokenForThisPanel$
| timechart span=1h max(p90resp) as P90(ResponseTime),
                    eval(round(avg(avgresp),0)) as avg(ResponseTime),
                    sum(volume) as "Total Volume"
        by weekdate 
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...