https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502983#M195250 <P>last question : is it possible to have + between the Trend when the Trend is positive??</P> Tue, 10 Dec 2019 15:05:08 GMT jip31 2019-12-10T15:05:08Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502976#M195243 <P>hello</P> <P>from the code below, i would like to be able to add a new colum in my table panel which calculate the percentage trend between the previous count and the next count for each line<BR /> Example</P> <P>Month count Trend<BR /> January 200 --<BR /> February 300 +34%<BR /> March 100 -66%</P> <PRE><CODE>index="toto" sourcetype="tutu" assigned_group="titi" | dedup incident_number | eval Month=strftime(_time,"%Y-%m") | stats count by Month | sort -Month </CODE></PRE> <P>thanks for your help</P> Tue, 10 Dec 2019 08:48:38 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502976#M195243 jip31 2019-12-10T08:48:38Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502977#M195244 <P>try this:</P> <P><CODE>index="toto" sourcetype="tutu" assigned_group="titi" <BR /> | dedup incident_number <BR /> | eval Month=strftime(_time,"%Y-%m") <BR /> | stats count by Month <BR /> | sort -Month<BR /> | delta count as Diff <BR /> | eval percentageTrend =(Diff/count)*100</CODE></P> Tue, 10 Dec 2019 09:12:46 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502977#M195244 jitendragupta 2019-12-10T09:12:46Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502978#M195245 <P>Are your example numbers what you want?</P> <P>Between Jan and Feb</P> <UL> <LI>300 is 50% more than 200 (b &gt; a)</LI> <LI>200 is 33.3% less than 300 (a &lt; b)</LI> </UL> <P>by between Feb and Mar</P> <UL> <LI>300 is 200% more than 100 (a &gt; b)</LI> <LI>100 is 66% less than 200 (b &lt; a)</LI> </UL> <P>so in your example are you looking to show, </P> <P>a) when negative, what % the smaller value is of the larger value<BR /> b) when positive, what % the difference between the values is of the larger value</P> <P>or something else.</P> <P>Note that the sort -Month will sort in reverse chronological order, so with the %Y-%m your order will be March,Feb,Jan. Naturally if you then use delta, that will give different results.</P> <P>So you could use</P> <PRE><CODE>| eval Month=strftime(_time,"%Y-%m") | stats count by Month | sort Month | eval diff=0 | delta count as diff | eval percentage=round(diff/count*100,0) </CODE></PRE> <P>Note that if you change the sort order the delta values are different. In the ascending sort, then change from 300 to 100 shows -200%.</P> <P>So it sort of depends if Feb in your example is needed to show </P> <P>a) Feb is a 50% growth over Jan<BR /> b) Jan was 33% lower than Feb</P> <P>but to give you your example, you would have to do</P> <PRE><CODE>| sort Month | eval diff=0 | delta count as diff | eval percentage=round(if(diff&gt;0,diff/count*100,diff/(count-diff)*100),0) </CODE></PRE> <P>NB: Ascending sort</P> <P>Run anywhere example</P> <PRE><CODE>| makeresults | rename COMMENT as "Setting up data to show example" | eval f="2019-01,200#2019-02,300#2019-03,100" | makemv delim="#" f | mvexpand f | rex field=f "(?&lt;Month&gt;[^,]*),(?&lt;count&gt;.*)" | fields - f, _time | sort Month | eval diff=0 | delta count as diff | eval percentage=round(if(diff&gt;0,diff/count*100,diff/(count-diff)*100),0) </CODE></PRE> Tue, 10 Dec 2019 09:58:30 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502978#M195245 bowesmana 2019-12-10T09:58:30Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502979#M195246 <PRE><CODE>| makeresults count=2 | streamstats count | eval _time = if (count==2,relative_time(_time,"-1y@month"), _time) | makecontinuous span=1d | eval incident_number="incedent_number_".(random() % 25 + 1) | bin span=1month _time | stats dc(incident_number) as count by _time | eval Month=strftime(_time,"%B, %y") | delta count as diff | eval Trend=(diff / count * 100)."%" | table Month count Trend </CODE></PRE> <P>Is <CODE>Month</CODE> in this format?</P> Tue, 10 Dec 2019 12:35:49 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502979#M195246 to4kawa 2019-12-10T12:35:49Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502980#M195247 <P>thanks it works but the calculation of the percentageTrend is strange <BR /> to my mind its not Diff/ count but (count-1/count)*100?</P> Tue, 10 Dec 2019 14:19:16 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502980#M195247 jip31 2019-12-10T14:19:16Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502981#M195248 <P>Thanks it seems to be good<BR /> Month format is <span class="lia-unicode-emoji" title=":neutral_face:">😐</span> eval Month=strftime(_time,"%Y-%m") </P> Tue, 10 Dec 2019 14:20:09 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502981#M195248 jip31 2019-12-10T14:20:09Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502982#M195249 <P>hi perfect demonstration but for the percentage calculation i have the same question asked to <BR /> jitendragupta</P> Tue, 10 Dec 2019 14:27:36 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502982#M195249 jip31 2019-12-10T14:27:36Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502983#M195250 <P>last question : is it possible to have + between the Trend when the Trend is positive??</P> Tue, 10 Dec 2019 15:05:08 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502983#M195250 jip31 2019-12-10T15:05:08Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502984#M195251 <PRE><CODE>| makeresults count=2 | streamstats count | eval _time = if (count==2,relative_time(_time,"-2y@month"), _time) | makecontinuous span=1d | eval incident_number="incedent_number_".(random() % 25 + 1) | bin span=1month _time | stats dc(incident_number) as count by _time | eval Month=strftime(_time,"%Y-%m") | delta count as diff | eval Trend=(diff / count * 100) | autoregress Trend as Trend_diff | eval positive_diff=if(Trend &gt;= 0 , Trend - Trend_diff,NULL) | eval Trend=Trend."%", Trend_diff=positive_diff."%" | table Month count Trend Trend_diff </CODE></PRE> <P>Is this it?</P> Tue, 10 Dec 2019 19:40:56 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502984#M195251 to4kawa 2019-12-10T19:40:56Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502985#M195252 <P>yes thanks</P> Fri, 13 Dec 2019 08:54:12 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502985#M195252 jip31 2019-12-13T08:54:12Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502986#M195253 <P>please accept the answer </P> Fri, 13 Dec 2019 11:42:32 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502986#M195253 to4kawa 2019-12-13T11:42:32Z https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502987#M195254 <P>I guess you need to express what the percentage is that you wish to see</P> Wed, 18 Dec 2019 08:27:12 GMT https://community.splunk.com/t5/Splunk-Search/help-for-calculating-a-trend-in-a-table-panel/m-p/502987#M195254 bowesmana 2019-12-18T08:27:12Z