My current Splunk search looks like this:
sourcetype="ContributionWebApiUat" DbResponseTime=* | chart values(DbResponseTime) by _time, DbQuery
This produces a bar chart with 3 types of DbQuery and their associated DbResponseTime plotted over time. Of course, in the future, there may be more than 3 DbQuerys
I now want to plot a line chart which shows a moving average of each DbQuerys response time. This is so that we can see if any queries are getting slower over time, because of the increase in the app's traffic.
I have written a search that compiles the ResponseTimes for all the queries together and gives me a moving average. This is my search to achieve that:
sourcetype="ContributionWebApiUat" DbResponseTime=* | chart values(DbResponseTime) by _time | streamstats avg(values(DbResponseTime))
But I want to see a moving average for each individual DbQuery, rather than them all in one result. How do I go about this?