topic Re: Need help to calculate percentage. in Splunk Search

Need help to calculate percentage.

Ash1 — Sun, 31 Mar 2024 17:20:56 GMT

|mstats sum(Transactions) as Transaction_count where index=metrics-logs application=login services IN(get, put, delete) span=1h by services |streamstats by services |timechart span=1h values(Transaction_count) by services

Results:

_time	get	put	delete
2024-01-22 09:00	7654.000000	17854.000000	9876.000000
2024-01-22 10:00	5643.000000	2345.000000	1267.000000

From the above query we want to calculate percentage between 2 values.
For example : For get field , we want percentage between 2 hours(09:00 and 10:00)

7654.000000/5643.000000*100

how to do this??

Re: Need help to calculate percentage.

PickleRick — Sun, 31 Mar 2024 21:59:48 GMT

You need to "carry over" value from one results row to another using autoregress command or streamstats.

Autoregress is pretty straightforward. For example in this case

| autoregress get as old_get

Streamstats seems a bit more complicated but can be a pretty powerful tool. Alternative to autoregress here would be

| streamstats current=f window=1 values(get) as old_get

One caveat to both those commands - they are applied in order of the returned events which by default is the reverse chronological order which means you'd be copying values from a newer result to the older one. If that's not what you want, you'll need to resort your results.

Re: Need help to calculate percentage.

Ash1 — Mon, 01 Apr 2024 00:31:08 GMT

Hi @PickleRick , i tried the query u suggested its working as expected. please find the below query.
but my concern is we want to use this query as an alert, where condition as
getperct >50 , putperct >10 , deleteperct >80 trigger alert

but when i give this 3 conditions its not working as expected, here alert should trigger even if one condition meets.

|mstats sum(Transactions) as Transaction_count where index=metrics-logs application=login services IN(get, put, delete) span=1h by services
|timechart span=1h values(Transaction_count) by services
|autoregress get as old_get
|autoregress get as old_put
|autoregress get as old_delete
|eval getperct=round(old_get/get*100,2)
|eval putperct=round(old_put/put*100,2)
|eval deleteperct=round(old_delete/delete*100,2)
|table getperct putperct deleteperct

Re: Need help to calculate percentage.

PickleRick — Mon, 01 Apr 2024 09:33:34 GMT

Are you sure you wanted old value of get as old_put?

Also, you can just do your condition as | where command to find only those matching results. Then you'd trigger alert only if you had any results at all.

Re: Need help to calculate percentage.

Ash1 — Mon, 01 Apr 2024 22:12:28 GMT

Hi @PickleRick , sorry it was a typo erro

Are you sure you wanted old value of get as old_put? --- sorry it was a typo error

Also, you can just do your condition as | where command to find only those matching results. Then you'd trigger alert only if you had any results at all.-- soory I used where condition but it's not working

|Where getperct>50 |Where putperct>10 |Where deleteperct>80

I want to receive error even if any one condition match, but I am not getting

Can u pls help

Re: Need help to calculate percentage.

PickleRick — Tue, 02 Apr 2024 07:47:41 GMT

Remember that after each step in your processing pipeline you get only those restults from the immediately preceeding command. So if you do all those | where commands in a row, first one will filter out all those results for which the getperct wasnt more than 50, the second one will filter out (of those remaining after first where) those that do not fit the next condition and so on.

So your three wheres in a row are equivalent to

| where getperct>50 AND putperct>10 AND deleteperct>80

but you want at least one of those condiitons fulfilled so you want

| where (getperct>50) OR (putperct>10> OR (deleteperct>80)