Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Percentage chart

leandromatperei
Path Finder
‎11-29-2019 11:31 AM

Hi.
I have a query that makes the difference of a query comparing today with last week.

I would like to generate a graph of percentage difference between the two, could someone help me?

My chart generates a timeline with events, however I would like a percentage chart.

earliest=-1w-12h latest=-1w index="raw_teste" (host=host1OR host=host2) "Retrieving message #"
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "SemanaPassada" by time

| appendcols [search earliest=-12h latest=-5s index="raw_teste" (host=host1OR host=host2) "Retrieving message #" 
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "Hoje" by time]
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2019 02:37 PM

You need the timewrap command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 05:50 PM 
 | makeresults count=2
 | streamstats count
 | eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
 | makecontinuous span=3m
 | where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w")
 | eval count=random() % 2 
 | where count = 1
 `comment("this is sample data")`
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | bin span=1h _time
 | eval hours=strftime(_time,"%H%M%S")
 | chart sum(count) as count over hours by date
 | eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100
 | eval _time=strptime(hours,"%H%M%S")
 | eval thresh=30
 | table _time Difference thresh

I don't know well, but is it like this?

Please try with Line Chart

When using it for alerts, change the 15th line to where Difference > 30.

I would like to generate a graph of percentage difference between the two, could someone help me?

I thought it is a chart, because you wrote this. but

where I want a chart of type Single Value?

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s")) 
| makecontinuous span=3m 
| where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w") 
| eval count=random() % 2 
| where count = 1 
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje") 
| bin span=1h _time 
| eval hours=strftime(_time,"%H%M%S") 
| chart sum(count) as count over hours by date 
| eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100 
| eval _time=strptime(hours,"%H%M%S") 
| table _time Difference

Please try with Single Value.

If you just give a number, stats is fine, but if you want a change, you need timechart, etc.

0 Karma
Reply

leandromatperei
Path Finder
‎11-30-2019 06:04 AM

I don't think I understood your last appointment well.

For example in the query below how would I do to calculate the percentage difference where I want a chart of type Single Value?

Could you show me.

index=* ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | stats count by date
0 Karma
Reply

to4kawa
Ultra Champion
‎11-30-2019 02:42 PM

I amended answer.

Please tell me the calculation formula.

last_week - today?

0 Karma
Reply

leandromatperei
Path Finder
‎11-30-2019 04:45 PM

Thanks,

I need to calculate the difference in values ​​between last week and today in the 01 hour range.

I need a single value chart and if it goes above 30% it turns red.

index=main ( earliest=-1w-1h latest=-1w) OR (earliest=-1h latest=-5s) | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")

The calculation can be from last week - today.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-30-2019 05:06 PM

please check my last Answer

the calculation is eval Difference
if it is wrong, you can change it.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 03:36 PM 
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
| makecontinuous span=20m
| where _time > relative_time(now(),"-12h") OR _time < relative_time(now(),"-1w")
| eval count ="Retrieving message #"
| rename count as _raw
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

Hi, This is sample query.

index="raw_teste" (host=host1OR host=host2) "Retrieving message #" ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

How about this? (Visualisation > Pie Chart)

0 Karma
Reply

leandromatperei
Path Finder
‎11-29-2019 05:10 PM

Hi,

I would like a percentage number chart comparing these two values, is it possible?

I need to check two absolute values ​​and see if there is a difference is above 30%

These values ​​are always comparing today with last week's date on the 01 hour timerange.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 05:33 PM

I need to check two absolute values ​​and see if there is a difference is above 30%

Please tell me the calculation formula

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...