topic Re: How do you do a trend calculation with a plus sign? in Splunk Search

How do you do a trend calculation with a plus sign?

jip31 — Tue, 09 Oct 2018 14:29:43 GMT

hello,

With the code below, i calculate a % trend between values. When the result of the trend is negative, a negative % is displayed. Perfect, but when the % is positive, I need to have, for example, +150% instead 150% .

Could you help me please?

index="windows-wmi" sourcetype="wmi:CPUload" (Name="mfetp/*" OR Name="mcshield/*") Name="mfetp*"   
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| head 10
| stats avg(PercentProcessorTime) as CPU_PercentProcessorTime_AVG, avg(Timestamp_Sys100NS) as CPU_Timestamp_Sys100NS_AVG
| appendcols  
[ search index="windows-wmi" sourcetype="wmi:CPUload"    (Name="mfetp/*" OR Name="mcshield/*") Name="mfetp*"   
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| head 10
| stats avg(PercentProcessorTime) as CPU_PercentProcessorTime_AVG2, avg(Timestamp_Sys100NS) as CPU_Timestamp_Sys100NS_AVG2]
| foreach CPU_*_AVG [
| eval perc<<MATCHSTR>>_AVG=case('<<FIELD>>'=='<<FIELD>>2',0, '<<FIELD>>'>'<<FIELD>>2', "-"
.round(('<<FIELD>>'/'<<FIELD>>2')*100,2), true(), "+".round(('<<FIELD>>2'/'<<FIELD>>')*100,2))]

| table percPercentProcessorTime_AVG, percTimestamp_Sys100NS_AVG 

| rename percPercentProcessorTime_AVG as ProcessorTime_Trend, percTimestamp_Sys100NS_AVG as Timestamp_Sys100NS_Trend

Re: How do you do a trend calculation with a plus sign?

Vijeta — Tue, 09 Oct 2018 14:44:32 GMT

Hi ,

You can use the below statement before table command in your code-

eval  percPercentProcessorTime_AVG=printf("%+4d",percPercentProcessorTime_AVG)

Re: How do you do a trend calculation with a plus sign?

KailA — Tue, 09 Oct 2018 15:21:49 GMT

Hi,

You can use regular expression to check if there is a minus sign or not, and if not, add the plus sign to your percentage.
Below a working example :

| makeresults
| eval temp = split("150%;-97%",";")
| mvexpand temp
| rex field=temp "^(?<sign>.)"
| eval temp = if(sign="-",temp,"+".temp)

The first 3 lines are only there to generate example data.

Let me know 🙂

KailA

Re: How do you do a trend calculation with a plus sign?

mstjohn_splunk — Tue, 09 Oct 2018 22:47:37 GMT

hi @jip31

Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

Re: How do you do a trend calculation with a plus sign?

jip31 — Tue, 29 Sep 2020 21:32:29 GMT

hi thanks
what does exactly mean "%+4d" please?
if i want to adapt my code i just have to do :

| eval percPercentProcessorTime_AVG=printf("%+4d",percPercentProcessorTime_AVG)
| eval percTimestamp_Sys100NS_AVG =printf("%+4d", percTimestamp_Sys100NS_AVG)

Re: How do you do a trend calculation with a plus sign?

Vijeta — Wed, 10 Oct 2018 14:39:42 GMT

This is a format, when you give a plus in printf, it displays + for numbers without sign and - for numbers with -ve sign. 4 is the precision of digits. This should work for your code.

Re: How do you do a trend calculation with a plus sign?

jip31 — Thu, 11 Oct 2018 06:13:47 GMT

thanks a lot