topic Percentage chart in Splunk Search

Percentage chart

leandromatperei — Fri, 29 Nov 2019 19:31:15 GMT

Hi.
I have a query that makes the difference of a query comparing today with last week.

I would like to generate a graph of percentage difference between the two, could someone help me?

My chart generates a timeline with events, however I would like a percentage chart.

earliest=-1w-12h latest=-1w index="raw_teste" (host=host1OR host=host2) "Retrieving message #"
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "SemanaPassada" by time

| appendcols [search earliest=-12h latest=-5s index="raw_teste" (host=host1OR host=host2) "Retrieving message #" 
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "Hoje" by time]

Re: Percentage chart

to4kawa — Fri, 29 Nov 2019 23:36:18 GMT

| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
| makecontinuous span=20m
| where _time > relative_time(now(),"-12h") OR _time < relative_time(now(),"-1w")
| eval count ="Retrieving message #"
| rename count as _raw
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

Hi, This is sample query.

index="raw_teste" (host=host1OR host=host2) "Retrieving message #" ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

How about this? (Visualisation > Pie Chart)

Re: Percentage chart

leandromatperei — Sat, 30 Nov 2019 01:10:57 GMT

Hi,

I would like a percentage number chart comparing these two values, is it possible?

I need to check two absolute values and see if there is a difference is above 30%

These values are always comparing today with last week's date on the 01 hour timerange.

Re: Percentage chart

to4kawa — Sat, 30 Nov 2019 01:33:00 GMT

I need to check two absolute values and see if there is a difference is above 30%

Please tell me the calculation formula

Re: Percentage chart

to4kawa — Sat, 30 Nov 2019 01:50:04 GMT

 | makeresults count=2
 | streamstats count
 | eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
 | makecontinuous span=3m
 | where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w")
 | eval count=random() % 2 
 | where count = 1
 `comment("this is sample data")`
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | bin span=1h _time
 | eval hours=strftime(_time,"%H%M%S")
 | chart sum(count) as count over hours by date
 | eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100
 | eval _time=strptime(hours,"%H%M%S")
 | eval thresh=30
 | table _time Difference thresh

I don't know well, but is it like this?

Please try with Line Chart

When using it for alerts, change the 15th line to where Difference > 30.

I would like to generate a graph of percentage difference between the two, could someone help me?

I thought it is a chart, because you wrote this. but

where I want a chart of type Single Value?

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s")) 
| makecontinuous span=3m 
| where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w") 
| eval count=random() % 2 
| where count = 1 
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje") 
| bin span=1h _time 
| eval hours=strftime(_time,"%H%M%S") 
| chart sum(count) as count over hours by date 
| eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100 
| eval _time=strptime(hours,"%H%M%S") 
| table _time Difference

Please try with Single Value.

If you just give a number, stats is fine, but if you want a change, you need timechart, etc.

Re: Percentage chart

leandromatperei — Sat, 30 Nov 2019 14:04:35 GMT

I don't think I understood your last appointment well.

For example in the query below how would I do to calculate the percentage difference where I want a chart of type Single Value?

Could you show me.

index=* ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | stats count by date

Re: Percentage chart

to4kawa — Sat, 30 Nov 2019 22:42:41 GMT

I amended answer.

Please tell me the calculation formula.

last_week - today?

Re: Percentage chart

leandromatperei — Sun, 01 Dec 2019 00:45:22 GMT

Thanks,

I need to calculate the difference in values between last week and today in the 01 hour range.

I need a single value chart and if it goes above 30% it turns red.

index=main ( earliest=-1w-1h latest=-1w) OR (earliest=-1h latest=-5s) | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")

The calculation can be from last week - today.

Re: Percentage chart

to4kawa — Sun, 01 Dec 2019 01:06:54 GMT

please check my last Answer

the calculation is eval Difference
if it is wrong, you can change it.

Re: Percentage chart

woodcock — Sun, 01 Dec 2019 22:37:59 GMT

You need the timewrap command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap