topic Re: Calculate Percentage Difference Between Two Searches in Splunk Search

Calculate Percentage Difference Between Two Searches

albyva — Mon, 28 Sep 2020 14:22:05 GMT

When running a single search on bandwidth data I can calculate the percentage between bandwidth In and Out using this eval fucntion:

| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | table percent_difference _time

What I want to do is calculate the percentage change between bandwidth over a 5/minute time span. For example, lets assume I'm seeing 100/mbps of bandwidth at 12:00p Noon and at 12:05p the bandwidth jumps to 125/mbps. How can I calculate the 25% increase in bandwidth between those two timespans/searches?

Re: Calculate Percentage Difference Between Two Searches

linu1988 — Mon, 28 Sep 2020 14:22:08 GMT

Could you please give the below query a try:

|bucket _time span=5m| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | table percent_difference ,_time

Thanks

Re: Calculate Percentage Difference Between Two Searches

aholzer — Mon, 28 Sep 2020 14:22:16 GMT

Like @linu1988 points out, you can use the bucket command to get the values for every 5 mins, then you can use the delta command to calculate the difference between two adjacent events.

Your search would look like:
| bucket _time span=5m| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | delta percent_difference as delta_percent | table _time, percent_difference, delta_percent

Here's the documentation on delta: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Delta

Re: Calculate Percentage Difference Between Two Searches

albyva — Wed, 17 Jul 2013 16:25:17 GMT

Wonderful. Thanks for the | bucket command tip.