Re: In splunk to find percentage difference for ea...

pswalia06 · ‎08-09-2018

I need to find the difference between each date for each App_name in splunk

Right now my query just show the today number of record recieve each day per topic name/ Appname. I want to find out the percentage difference of record for each day from its previous day.

index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w.\/_-]+)\s" | rex field=source ".(?[\w\/_-]+)." | timechart span=24h sum(record) as records by topic_name

Can someone help

renjith_nair · ‎08-10-2018

@pswalia06,

Try this

index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w.\/_-]+)\s" | rex field=source ".(?[\w\/_-]+)." 
|timechart span=24h sum(record) as records by topic_name
|untable _time,topic_name,records|sort topic_name,_time
|streamstats last(records) as prev_records  current=f window=1 reset_on_change=true by topic_name|fillnull value=0
|eval perc=((records-prev_records  )/records)*100|fields - records,prev_records  |xyseries _time,sourcetype,perc

Happy Splunking!

In splunk to find percentage difference for each column

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!