https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191885#M55219 <P>use "delta" command for the difference in the current Vs previous value for the given parameter. </P> <P>Refer for more details : <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta">http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta</A></P> <P>E.g: For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff.</P> <P>... | delta count AS countdiff</P> Tue, 13 Jan 2015 02:59:34 GMT jayannah 2015-01-13T02:59:34Z https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191884#M55218 <P>I am new to Splunk and need guidance on writing a generic search that will give me the percent increase over a two month period. For example, let's say my event data has the following fields:</P> <P>page="foo.html", success_rate=99.0, _time=2014-12-01 <BR /> page="foo.html", success_rate=99.5, _time=2014-11-01<BR /> page="bar.html", success_rate=100, _time=2014-12-01 <BR /> page="bar.html", success_rate=100, _time=2014-11-01 </P> <P>I would like my results to be:</P> <P>Page Name | Success Rate Change<BR /> foo.html | -0.5<BR /> bar.html | 0</P> <HR /> <P>Here is another example:</P> <P><STRONG>Events</STRONG><BR /> page="foo.html", response_time=40, _time=2014-11-1<BR /> page="foo.html", response_time=50, _time=2014-12-1<BR /> page="bar.html", response_time=3, _time=2014-11-1<BR /> page="bar.html", response_time=1, _time=2014-12-1</P> <P><STRONG>Desired Results</STRONG><BR /> Page | Response Time Percent Increase<BR /> foo.html | 25<BR /> bar.html | -66.66</P> <P>This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.</P> <P>I've gotten this to work with the follow query:</P> <P><CODE>| eval month=strftime(_time,"%b") | chart avg(success_rate) by page, month <BR /> | convert num("Dec") as dec_res num("Nov") as nov_res<BR /> | eval rs_diff = (((dec_res / nov_res) * 100) - 100) <BR /> | table page rs_diff</CODE></P> <P>However, this is not very flexible as I have to get the column by the month's name. This will only work for a month and then I have to change it.</P> <P>How can I get the same results without using hard-coded values? </P> Mon, 28 Sep 2020 18:40:51 GMT https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191884#M55218 jjones31 2020-09-28T18:40:51Z https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191885#M55219 <P>use "delta" command for the difference in the current Vs previous value for the given parameter. </P> <P>Refer for more details : <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta">http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta</A></P> <P>E.g: For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff.</P> <P>... | delta count AS countdiff</P> Tue, 13 Jan 2015 02:59:34 GMT https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191885#M55219 jayannah 2015-01-13T02:59:34Z https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191886#M55220 <P>Thanks for your response jayannah!</P> <P>You actually made me realize my example is misleading. Since success rate is already a percentage, your suggestion is completely valid. </P> <P>I am trying to create a search that will give me all events that's greater than a specific percentage (percent increase). For example, if I have a web page in which the response time has grown more than 10% in the past month, I want to know. </P> <P>Let me give you a better example, let's use response time instead of success rate. </P> <P><STRONG>Events</STRONG><BR /> page="foo.html", response_time=40, _time=2014-11-1<BR /> page="foo.html", response_time=50, _time=2014-12-1<BR /> page="bar.html", response_time=3, _time=2014-11-1<BR /> page="bar.html", response_time=1, _time=2014-12-1</P> <P><STRONG>Desired Results</STRONG><BR /> Page | Response Time Percent Increase<BR /> foo.html | 25<BR /> bar.html | -66.66</P> <P>This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec. </P> <P>Any help is appreciated! </P> Mon, 28 Sep 2020 18:37:38 GMT https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191886#M55220 jjones31 2020-09-28T18:37:38Z https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191887#M55221 <P>The below line will add new field previous_response_time with value of response_time of previous event.</P> <P>| streamstats current=f last(response_time) as previous_response_time</P> <P>Then, the below query gives you the % you want..</P> <P>eval Perc_change= ((response_time - previous_response_time) /previous_response_time * 100)</P> <P>Hope this helps..</P> Mon, 28 Sep 2020 18:37:49 GMT https://community.splunk.com/t5/Splunk-Search/Suggestions-on-calculating-reduction-rates-over-a-period-of-time/m-p/191887#M55221 jayannah 2020-09-28T18:37:49Z