topic Re: How to calculate percentage deviation in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-calculate-percentage-deviation/m-p/325034#M96944 <P>Try This:</P> <PRE><CODE>index=&lt;your_index&gt; | stats avg(never*) AS avg_never* latest(never*) AS current_never* by hour, msc_name | foreach current_* [eval pct_deviation_&lt;&lt;MATCHSTR&gt;&gt;=abs(&lt;&lt;FIELD&gt;&gt;-avg_&lt;&lt;MATCHSTR&gt;&gt;)*100/avg_&lt;&lt;MATCHSTR&gt;&gt;] | table hour msc_name pct_deviation_* | stats avg(pct_deviation_*) AS avg_pctdeviation_* by msc_name | addtotals| eval avg=Total/5 | fields msc_name avg </CODE></PRE> Fri, 08 Dec 2017 10:38:20 GMT mayurr98 2017-12-08T10:38:20Z How to calculate percentage deviation https://community.splunk.com/t5/Splunk-Search/How-to-calculate-percentage-deviation/m-p/325033#M96943 <P>Hi,</P> <P>I have logs which looks similar to the sample data attached. In my current scenario I have 30 days hourly data for each of the 9 nodes i.e., "msc "and 303 KPIs i.e., "never" in the sample log. I want to calculate the %deviation of the KPIs i.e., never_* for the latest day from the average of last 30 days. I could calculate the deviation with the below logic but unable to structure the logic to calculate the %deviation. Kindly suggest if my logic is correct to calculate deviation:</P> <P><CODE>index=&lt;indexname&gt; | stats avg(never_*) as avg_* latest(never_*) as values_* by date_hour, msc | foreach values_* [eval deviation_&lt;&lt;MATCHSTR&gt;&gt;=abs(avg_&lt;&lt;MATCHSTR&gt;&gt;-&lt;&lt;FIELD&gt;&gt;] | table date_hour msc deviation_* | stats avg(deviation_*) as avg_dev_* by msc | eval total_avg_dev=0 | foreach avg_dev_* [eval total_avg_dev=&lt;&lt;FIELD&gt;&gt;+total_avg_dev] | eval avg_avg_dev=total_avg_dev/303 | table msc avg_avg_dev | sort - avg_avg_dev | rename avg_avg_dev as deviation | head 10</CODE></P> <P>If this correct then, how should I calculate the percentage deviation in this case?</P> Fri, 08 Dec 2017 08:39:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-percentage-deviation/m-p/325033#M96943 MousumiChowdhur 2017-12-08T08:39:51Z Re: How to calculate percentage deviation https://community.splunk.com/t5/Splunk-Search/How-to-calculate-percentage-deviation/m-p/325034#M96944 <P>Try This:</P> <PRE><CODE>index=&lt;your_index&gt; | stats avg(never*) AS avg_never* latest(never*) AS current_never* by hour, msc_name | foreach current_* [eval pct_deviation_&lt;&lt;MATCHSTR&gt;&gt;=abs(&lt;&lt;FIELD&gt;&gt;-avg_&lt;&lt;MATCHSTR&gt;&gt;)*100/avg_&lt;&lt;MATCHSTR&gt;&gt;] | table hour msc_name pct_deviation_* | stats avg(pct_deviation_*) AS avg_pctdeviation_* by msc_name | addtotals| eval avg=Total/5 | fields msc_name avg </CODE></PRE> Fri, 08 Dec 2017 10:38:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-percentage-deviation/m-p/325034#M96944 mayurr98 2017-12-08T10:38:20Z