Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In splunk to find percentage difference for each column

pswalia06
Explorer
‎08-09-2018 09:12 PM

I need to find the difference between each date for each App_name in splunk

Right now my query just show the today number of record recieve each day per topic name/ Appname. I want to find out the percentage difference of record for each day from its previous day.

index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w.\/_-]+)\s" | rex field=source ".(?[\w\/_-]+)." | timechart span=24h sum(record) as records by topic_name

Can someone help

Tags (1)
Reply

renjith_nair
Legend
‎08-10-2018 07:11 AM

@pswalia06,

Try this

index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w.\/_-]+)\s" | rex field=source ".(?[\w\/_-]+)." 
|timechart span=24h sum(record) as records by topic_name
|untable _time,topic_name,records|sort topic_name,_time
|streamstats last(records) as prev_records  current=f window=1 reset_on_change=true by topic_name|fillnull value=0
|eval perc=((records-prev_records  )/records)*100|fields - records,prev_records  |xyseries _time,sourcetype,perc
Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...