https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50403#M12115 <P>:blush: You noticed! Yep, I did some testing with 5m buckets.</P> <P>And yes, I'll be there. Looking forward to that beer! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 04 Sep 2012 13:01:42 GMT echalex 2012-09-04T13:01:42Z https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50400#M12112 <P>So a quick and dirty one.</P> <P>If I have a search that gives me a daily summary of the bytes downloaded by web users:</P> <PRE><CODE>sourcetype="web_logs" | timechart span=1d sum(sc_bytes) AS "Daily Traffic (Bytes)" </CODE></PRE> <P>What would be the best way to compare two successive days and give a % increase/decrease value? e.g.</P> <PRE><CODE>_time Daily Traffic perc_diff 8/9/11 12:00:00.000 AM 318606425 0 8/10/11 12:00:00.000 AM 66560892 -79.10 8/11/11 12:00:00.000 AM 2987269232 4388.02 8/12/11 12:00:00.000 AM 7981047 -99.73 8/13/11 12:00:00.000 AM 160388640 1909.61 8/14/11 12:00:00.000 AM 52523918 -67.25 </CODE></PRE> <P>Hope someone can help.. I have Splunkers block <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Tue, 04 Sep 2012 11:37:23 GMT https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50400#M12112 rturk 2012-09-04T11:37:23Z https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50401#M12113 <P>Hi R.Turk,</P> <P>I think you should be succesful using <CODE>bucket</CODE>, <CODE>delta</CODE> and <CODE>eval</CODE>. Use <CODE>bucket</CODE> to group the results into daily sets, <CODE>stats</CODE> to calculate the daily sum, <CODE>delta</CODE> to calculate the change and <CODE>eval</CODE> to get the percentage.</P> <PRE><CODE>...|bucket _time span=1d | stats sum(sc_bytes) as sc_bytes_daily by _time |delta sc_bytes_daily as change |eval change_percent=change/(sc_bytes_daily-change)*100 |timechart span=1d first(sc_bytes_daily) AS "Daily traffic (bytes)", first(change_percent) AS "Change (%)" </CODE></PRE> <P>HTH</P> Tue, 04 Sep 2012 12:51:05 GMT https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50401#M12113 echalex 2012-09-04T12:51:05Z https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50402#M12114 <P>Thanks echalex! That's exactly what I was after! I was going to ask you why the 5 minute spans, but you edited it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> If you're heading to .conf2012, I'll be sure to buy you a beer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 04 Sep 2012 12:56:51 GMT https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50402#M12114 rturk 2012-09-04T12:56:51Z https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50403#M12115 <P>:blush: You noticed! Yep, I did some testing with 5m buckets.</P> <P>And yes, I'll be there. Looking forward to that beer! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 04 Sep 2012 13:01:42 GMT https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50403#M12115 echalex 2012-09-04T13:01:42Z https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50404#M12116 <P>Well done! I was playing with an alternate solution, but not using <CODE>bucket</CODE> - noticed that bucket reduced the memory used during the search by a factor of 3 in my case. The job runtimes were similar for both searches. K.</P> Tue, 04 Sep 2012 13:44:41 GMT https://community.splunk.com/t5/Splunk-Search/Percentage-difference-between-two-successive-events-as-a-new/m-p/50404#M12116 kristian_kolb 2012-09-04T13:44:41Z