https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293527#M88618 <P>What is the relationship between host1 and host2? Typically, no two hosts will have the same statistics for anything, so I'm not sure what "big difference" might mean in your context.</P> Thu, 17 Aug 2017 14:10:47 GMT DalJeanis 2017-08-17T14:10:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293525#M88616 <P>How to compare the two host events ?</P> <P>index=test| stats count by host | stats list(count) as count by host</P> <P>my result is : <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3396i9A4F100A4E9C1277/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How to identify if there is a large variation in count between host1 and host 2 ?</P> Thu, 17 Aug 2017 12:12:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293525#M88616 karthi2809 2017-08-17T12:12:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293526#M88617 <P>Will there always be 2 hosts or there can be more? What is your expected output?</P> Thu, 17 Aug 2017 13:53:06 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293526#M88617 somesoni2 2017-08-17T13:53:06Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293527#M88618 <P>What is the relationship between host1 and host2? Typically, no two hosts will have the same statistics for anything, so I'm not sure what "big difference" might mean in your context.</P> Thu, 17 Aug 2017 14:10:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293527#M88618 DalJeanis 2017-08-17T14:10:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293528#M88619 <P>How to identify if there is a large variation in count between host1 and host 2 ?</P> Fri, 18 Aug 2017 05:46:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293528#M88619 karthi2809 2017-08-18T05:46:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293529#M88620 <P>I'm not sure what you're definition of "large variation" is, but there is a command in splunk called <STRONG>delta</STRONG> that should be able to help.<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Delta">https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Delta</A></P> <P>Also, I'm not sure why you're adding <CODE>|stats list(count) as count by host</CODE>as it should produce the same results as the stats command before it.</P> <PRE><CODE>index=test| stats count by host|delta count as delta p=1 </CODE></PRE> <P>if you're looking to add the percent, you could use <STRONG>top</STRONG> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Top">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Top</A></P> <PRE><CODE>index=test|top host|delta count as delta p=1 </CODE></PRE> Fri, 18 Aug 2017 14:41:27 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293529#M88620 cmerriman 2017-08-18T14:41:27Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293530#M88621 <P>Hi cmerriman,</P> <P>Thanks for your valuable query .but requirement is to find percentage of host.i have two servers one is host 1 and another one is host 2.both host have almost same transaction amount.<BR /> for eg :<BR /> host 1 : 5.1%<BR /> host 2: 4.9%</P> <P>In case of host have huge difference between transaction amount<BR /> for eg:</P> <P>host 1: 5.1<BR /> host 2: 2.0</P> <P>i need to set an alert for this differnce</P> Tue, 22 Aug 2017 07:33:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293530#M88621 karthi2809 2017-08-22T07:33:22Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293531#M88622 <P>so would <CODE>index=test|top host|delta percent as delta p=1</CODE> work, and then create an alert based on the value of <STRONG>delta</STRONG>? since you only have the two hosts, you could fill in the other line of delta with <CODE>|sort + percent|filldown delta</CODE> at the end of the search.</P> Tue, 22 Aug 2017 12:20:26 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293531#M88622 cmerriman 2017-08-22T12:20:26Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293532#M88623 <P>Here's some code if you want to see if all the hosts are balanced within 10% of each other. This would alert if the highest host was carrying 10% more of the total traffic than the lowest host. </P> <PRE><CODE>index=test | stats count as hostcount by host | eventstats max(hostcount) as maxcount min(hostcount) as mincount sum(hostcount) as totalcount | eval pctcount = round(100*hostcount/totalcount,2) | eval maxdiff = round(100*(maxcount-mincount)/totalcount,2) | where maxdiff&gt;10.0 </CODE></PRE> <P>Here's some code if you want to see if the two lowest hosts are balanced within 5% of each other. This compares the lowest to the second-lowest, alerting if one of them is carrying 5% more of the total load than the other. The code would function even if there was only one host, but it would obviously never alert in that case.</P> <PRE><CODE>index=test | stats count as hostcount by host | eventstats max(hostcount) as maxcount min(hostcount) as mincount sum(hostcount) as totalcount | eval pctcount = round(100*hostcount/totalcount,2) | eventstats min(eval(if(hostcount=mincount,null(),hostcount))) as min2count | eval diffcount = round(100*(min2count-mincount)/totalcount,2) | where maxdiff&gt;5.0 </CODE></PRE> Tue, 22 Aug 2017 13:13:00 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293532#M88623 DalJeanis 2017-08-22T13:13:00Z https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293533#M88624 <P>Hi DalJeanis,<BR /> I have two servers .in both two servers splunk forwarder is installed and pointed to index=test.The both servers have same level or more or less of transaction .but in my case the one server have 35 % and another server having 34 % means not a problem . In case of large difference between the percentage in two servers .then i need to set alert for the conditions</P> Mon, 28 Aug 2017 05:50:43 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-the-count-of-two-hosts/m-p/293533#M88624 karthi2809 2017-08-28T05:50:43Z