https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-find-percentage-deviation-between-two/m-p/285777#M86467 <P>How do I find % deviation between 2 values for each platform? I am able to get deviation, but when i want deviation only for each platform, I do not want values for one platform compared with another platform. Is this possible in Splunk?</P> <P>Current search:</P> <PRE><CODE>index="test" OR index="test" Api=* (EventStreamData.eventName="5000027") | bucket _time span=15m | rename EventStreamData.response.userStatusCode{} as userStatusCode1 | rename EventStreamData.args.customerLoginRequest.signInPlatform as signInPlatform1 | eval PLATFORM=if((Api_Key="SICAPP" AND signInPlatform="Card"),"COS",if((Api_Key="SICAPP" AND signInPlatform="ENTERPRISE"),"EASE Web", if((Api_Key="SICAPP" AND signInPlatform="OLBank"), "OLBR",)) | eval SuccessVolume=if(DISPOSITION="SUCCESS",1,0) | eval PolicyVolume=if(DISPOSITION="POLICY",1,0) | eval DefectVolume=if(DISPOSITION="DEFECT",1,0) | stats sum(SuccessVolume) as Success avg(SuccessVolume) as avg by _time,PLATFORM | sort PLATFORM | fillnull | delta avg as change | fillnull | eval change_percent=round(change/avg*100,0) </CODE></PRE> Tue, 20 Dec 2016 16:19:29 GMT shaileshmali 2016-12-20T16:19:29Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-find-percentage-deviation-between-two/m-p/285777#M86467 <P>How do I find % deviation between 2 values for each platform? I am able to get deviation, but when i want deviation only for each platform, I do not want values for one platform compared with another platform. Is this possible in Splunk?</P> <P>Current search:</P> <PRE><CODE>index="test" OR index="test" Api=* (EventStreamData.eventName="5000027") | bucket _time span=15m | rename EventStreamData.response.userStatusCode{} as userStatusCode1 | rename EventStreamData.args.customerLoginRequest.signInPlatform as signInPlatform1 | eval PLATFORM=if((Api_Key="SICAPP" AND signInPlatform="Card"),"COS",if((Api_Key="SICAPP" AND signInPlatform="ENTERPRISE"),"EASE Web", if((Api_Key="SICAPP" AND signInPlatform="OLBank"), "OLBR",)) | eval SuccessVolume=if(DISPOSITION="SUCCESS",1,0) | eval PolicyVolume=if(DISPOSITION="POLICY",1,0) | eval DefectVolume=if(DISPOSITION="DEFECT",1,0) | stats sum(SuccessVolume) as Success avg(SuccessVolume) as avg by _time,PLATFORM | sort PLATFORM | fillnull | delta avg as change | fillnull | eval change_percent=round(change/avg*100,0) </CODE></PRE> Tue, 20 Dec 2016 16:19:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-find-percentage-deviation-between-two/m-p/285777#M86467 shaileshmali 2016-12-20T16:19:29Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-find-percentage-deviation-between-two/m-p/285778#M86468 <P>Give this a try</P> <PRE><CODE>index="test" OR index="test" Api=* (EventStreamData.eventName="5000027") | bucket _time span=15m | rename EventStreamData.response.userStatusCode{} as userStatusCode1 | rename EventStreamData.args.customerLoginRequest.signInPlatform as signInPlatform1 | eval PLATFORM=if((Api_Key="SICAPP" AND signInPlatform="Card"),"COS",if((Api_Key="SICAPP" AND signInPlatform="ENTERPRISE"),"EASE Web", if((Api_Key="SICAPP" AND signInPlatform="OLBank"), "OLBR",)) | eval SuccessVolume=if(DISPOSITION="SUCCESS",1,0) | eval PolicyVolume=if(DISPOSITION="POLICY",1,0) | eval DefectVolume=if(DISPOSITION="DEFECT",1,0) | stats sum(SuccessVolume) as Success avg(SuccessVolume) as avg by PLATFORM _time | streamstats current=f window=1 values(avg) as change by PLATFORM | eval change=avg-change | eval change_percent=round(change/avg*100,0) </CODE></PRE> Tue, 20 Dec 2016 19:10:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-find-percentage-deviation-between-two/m-p/285778#M86468 somesoni2 2016-12-20T19:10:01Z