I tried to use the solution in https://answers.splunk.com/answers/506192/how-to-calculate-percent-increase-of-crime-by-mont.html?ut... but that did not seem to give the expected results (even after correcting for the typo).
The context is trying to compare the message error rate between two application versions.
For example a log message might be something like
ERROR: msg="The top error is still firing" appVersion=2.0.0
ERROR: msg="The top error is still firing" appVersion=2.0.1
in the two (or more) appVersions I am interested in (2 is enough, eg previous and just released).
When I used the solution from above, I only got numbers for one appVersion (the newest) in the statistic even though the events included msgs from both.
Note that I want percents by appVersion, being compared.
also it does not have to be differences, but simply top msg rates per appVersion would be enough.
The goal is to see if the rate of any (in particular the highest firing but any, so by largest diff may also be of interest) msg has changed in the new release.
hope i understood your question correctly,
maybe try something like this:
... your search for events | bin span=5m _time | stats count(eval(appVersion=="2.0.0")) as "2.0.0" count(eval(appVersion=="2.0.1")) as "2.0.1" ... count(eval(appVersion=="n.0.0")) as "n.0.0" count as total_count by _time | eval 2.0.0_pct = round(2.0.0/total_count*100, 2) | eval 2.0.1_pct = round(2.0.1/total_count*100, 2) .... | eval n.0.0_pct = round(n.0.0/total_count*100, 2)
hope it helps
I'm not sure what the n.0.0 part is but the very fact that the x_pct computations share a common denominator seem to indicate that a specific point was missed...
Also, and more importantly, there is no breakdown by msg which is the important thing being counted.
Each msg count needs to be measured by the particular appVersion, then those computations compared against each other.
This is to see for example, that some message's frequency wrt to one appVersion, has increased/decreased compared to another appVersion. In this case the denominator is the total number of msgs for that particular appVersion, not a global total.
I added a comment with an example (I didn't see a way to edit my question) but apparently the comment hasn't been cleared by the moderator yet.
Sorry for any confusion. Please wait for the example to clear if the context is not clear.
| chart count over appVersion by msg
breaks the data down into the numbers needed per msg, appVersion but then the matter is computing and dividing those number by the totals by appVersion
appVersion msg1 msg2 msg3 21.30 165 802 165 21.33 4 5 4
In the example above the 21.30 total would be 165+802+165=1132 and the 21.33 total would be 4+5+4=13
so the percentages would look like
appVersion msg1 msg2 msg3
21.30 14.5 71 14.5
21.33 31 38 31
in other words, msg1 and msg3 error rates have increased in version 21.33 whereas msg2 has decreased.
msg1 msg2 msg3 diff 16.5 -33 16.5
I can see calculating percentage diff per msg between appVersion if I tilt the table. I cannot really tilt it back afterwards, but maybe you can live with that?
<your search> | eval appVersion="v_"+appVersion | eventstats count as total by appVersion | eventstats count as splitcount by appVersion msg | eval percent=round(splitcount/total*100,2) | chart values(percent) over msg by appVersion | eval diff =v_21.30 - v_21.33
(I don't know if we need to append v_ to the appVersion for doing the diff calc later),
That's still not really good because I guess you don't want the appVersion hardcoded, right?
A two version is ok for now thank you, unfortunately i am getting an eval error on the final diff expression: "Error in 'eval' command: Typechecking failed. '-' only takes numbers"... I'm assuming that the generated column names v21.30 and v21.33 are not valid because of the "."? But I don't see how to get around it with our version numbers the way they are.
Got it, for the two (or limited number), can use if to do the renaming. This provides the diff. Thank you very much!
... | eval appVersion=if(appVersion="21.30","v21_30","v21_33") | eventstats count as total by appVersion | eventstats count as splitcount by appVersion msg | eval percent=round(splitcount/total*100,2) | chart values(percent) over msg by appVersion | eval diff=(v21_30-v21_33)
So this works well for getting/seeing the basic data.
What I actually want to do is have this visualized over time with each line representing a specific msg, and the value being the diff value for that day.
I'm getting stumped on how to bucket/bin this data per day and have it visualized.
I found that in my initial test versions entered, the previous only had a very small number of events, why it didn't show up at all I'm not sure).
So once I entered a fully released previous version, I got two columns. But the data was still not what I expected/wanted for my query.
The Percentage change in the previous solution seems to be using a grand total(?) (somebody else commented that the solution might not be right/as expected?).
For example, if I have something like
msg 2.0.0 2.0.1
msg1 10 20
msg2 10 20
msg3 80 60
then I want the values (for illustration purposes)
msg 2.0.0 Total2.0.0. Percent2.0.0 2.0.1 Total2.0.1 Percent2.0.1 PercentChange
msg1 10 100 .10 40 200 .20 .10
msg2 10 100 .10 40 200 .20 .10
msg3 80 100 .80 120 200 .60 -.20
For actual results/visualization I'm mainly interested in PercentChange by msg or by graphing the Percent values by msg
My version of the "calculate percent increase of crime by month over 6 years" solution was:
| stats count by msg appVersion
| appendpipe [| stats first(count) as from last(count) as to by msg | eval count=round((to-from)*100/from,2) | eval appVersion="PercentChange"| table msg appVersion count]
| appendpipe [| stats sum(count) as count by msg | eval appVersion="Total"| table msg appVersion count]
| xyseries msg appVersion count
This resulted in showing only the second appVersion value, and all PercentChange was 0.00.