Hello All,
Been trying to get the hang of syntax within Splunk and have been able to sus out a basic understanding, true to form for myself, I usually end up jumping into the deep end when I do things, so bear with me.
I am attempting to creat a report/search/dashboard that looks over the last four hours and will display the largest percent increase of a value.
The field is BIN currently stored as a numerical value, I have tried the tostring command to transform it but usually ends up as no values being returned or them all being grouped together.
But I digress, how would I first create a search/table view that would be updated along a described timeframe lets say every hour where it looks at the previous timeframe as a percentage of total records for that timeframe and calculates the percentage increase of the two timeframes and filters to see the top 20 increases?
Example:
I would want to ignore any decreasing values and possibly only see the top 20 that had increased that are greater than or equal to a 15% increase.
BIN | Percent 2 hour ago | Percent 1 hr ago | Pecent change |
123456 | 10% | 12% | 16.7% |
234561 | 10% | 8% | -25% |
345612 | 30% | 25% | -20% |
456123 | 35% | 30% | -16.7% |
561234 | 15% | 25% | 40% |