topic Re: Percent by multiple (say 2) fields as in msg and version in Splunk Dev

Percent by multiple (say 2) fields as in msg and version

pyamamoto — Thu, 10 Aug 2017 01:44:18 GMT

I tried to use the solution in https://answers.splunk.com/answers/506192/how-to-calculate-percent-increase-of-crime-by-mont.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev but that did not seem to give the expected results (even after correcting for the typo).

The context is trying to compare the message error rate between two application versions.
For example a log message might be something like
ERROR: msg="The top error is still firing" appVersion=2.0.0
ERROR: msg="The top error is still firing" appVersion=2.0.1
in the two (or more) appVersions I am interested in (2 is enough, eg previous and just released).

When I used the solution from above, I only got numbers for one appVersion (the newest) in the statistic even though the events included msgs from both.

Note that I want percents by appVersion, being compared.

also it does not have to be differences, but simply top msg rates per appVersion would be enough.

The goal is to see if the rate of any (in particular the highest firing but any, so by largest diff may also be of interest) msg has changed in the new release.

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Thu, 10 Aug 2017 01:51:13 GMT

My version of the "calculate percent increase of crime by month over 6 years" solution was:

This resulted in showing only the second appVersion value, and all PercentChange was 0.00.

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Thu, 10 Aug 2017 02:14:01 GMT

I found that in my initial test versions entered, the previous only had a very small number of events, why it didn't show up at all I'm not sure).

So once I entered a fully released previous version, I got two columns. But the data was still not what I expected/wanted for my query.

The Percentage change in the previous solution seems to be using a grand total(?) (somebody else commented that the solution might not be right/as expected?).

For example, if I have something like

msg 2.0.0 2.0.1
msg1 10 20
msg2 10 20
msg3 80 60

then I want the values (for illustration purposes)

msg 2.0.0 Total2.0.0. Percent2.0.0 2.0.1 Total2.0.1 Percent2.0.1 PercentChange
msg1 10 100 .10 40 200 .20 .10
msg2 10 100 .10 40 200 .20 .10
msg3 80 100 .80 120 200 .60 -.20

For actual results/visualization I'm mainly interested in PercentChange by msg or by graphing the Percent values by msg

Re: Percent by multiple (say 2) fields as in msg and version

adonio — Thu, 10 Aug 2017 02:33:11 GMT

hope i understood your question correctly,
maybe try something like this:

... your search for events
| bin span=5m _time 
| stats count(eval(appVersion=="2.0.0")) as "2.0.0" count(eval(appVersion=="2.0.1")) as "2.0.1"  ... count(eval(appVersion=="n.0.0")) as "n.0.0" count as total_count by _time
| eval 2.0.0_pct = round(2.0.0/total_count*100, 2) 
| eval 2.0.1_pct = round(2.0.1/total_count*100, 2)  
....
| eval n.0.0_pct = round(n.0.0/total_count*100, 2)

hope it helps

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Thu, 10 Aug 2017 05:43:18 GMT

I'm not sure what the n.0.0 part is but the very fact that the x_pct computations share a common denominator seem to indicate that a specific point was missed...

Also, and more importantly, there is no breakdown by msg which is the important thing being counted.

Each msg count needs to be measured by the particular appVersion, then those computations compared against each other.

This is to see for example, that some message's frequency wrt to one appVersion, has increased/decreased compared to another appVersion. In this case the denominator is the total number of msgs for that particular appVersion, not a global total.

I added a comment with an example (I didn't see a way to edit my question) but apparently the comment hasn't been cleared by the moderator yet.

Sorry for any confusion. Please wait for the example to clear if the context is not clear.

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Thu, 10 Aug 2017 06:18:23 GMT

Note that:
| chart count over appVersion by msg
breaks the data down into the numbers needed per msg, appVersion but then the matter is computing and dividing those number by the totals by appVersion

appVersion  msg1 msg2 msg3
21.30                  165      802    165
21.33                     4         5     4

In the example above the 21.30 total would be 165+802+165=1132 and the 21.33 total would be 4+5+4=13
so the percentages would look like

appVersion msg1 msg2 msg3
21.30 14.5 71 14.5
21.33 31 38 31

in other words, msg1 and msg3 error rates have increased in version 21.33 whereas msg2 has decreased.

            msg1 msg2 msg3
diff       16.5   -33    16.5

Re: Percent by multiple (say 2) fields as in msg and version

knielsen — Thu, 10 Aug 2017 07:33:27 GMT

I can see calculating percentage diff per msg between appVersion if I tilt the table. I cannot really tilt it back afterwards, but maybe you can live with that?

<your search> | eval appVersion="v_"+appVersion | eventstats count as total by appVersion | eventstats count as splitcount by appVersion msg | eval percent=round(splitcount/total*100,2) |  chart values(percent) over msg by appVersion | eval diff =v_21.30 - v_21.33

(I don't know if we need to append v_ to the appVersion for doing the diff calc later),

That's still not really good because I guess you don't want the appVersion hardcoded, right?

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Tue, 29 Sep 2020 15:19:56 GMT

A two version is ok for now thank you, unfortunately i am getting an eval error on the final diff expression: "Error in 'eval' command: Typechecking failed. '-' only takes numbers"... I'm assuming that the generated column names v_21.30 and v_21.33 are not valid because of the "."? But I don't see how to get around it with our version numbers the way they are.

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Fri, 11 Aug 2017 17:33:57 GMT

Got it, for the two (or limited number), can use if to do the renaming. This provides the diff. Thank you very much!

... | eval appVersion=if(appVersion="21.30","v21_30","v21_33") | eventstats count as total by appVersion | eventstats count as splitcount by appVersion msg | eval percent=round(splitcount/total*100,2) |  chart values(percent) over msg by appVersion | eval diff=(v21_30-v21_33)

Re: Percent by multiple (say 2) fields as in msg and version

pyamamoto — Fri, 11 Aug 2017 20:39:44 GMT

So this works well for getting/seeing the basic data.

What I actually want to do is have this visualized over time with each line representing a specific msg, and the value being the diff value for that day.

I'm getting stumped on how to bucket/bin this data per day and have it visualized.