Re: In splunk to find percentage difference for ea...

pswalia06 · ‎08-09-2018

I need to find the difference between each date for each App_name in splunk

Right now my query just show the today number of record recieve each day per topic name/ Appname. I want to find out the percentage difference of record for each day from its previous day.

index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w.\/_-]+)\s" | rex field=source ".(?[\w\/_-]+)." | timechart span=24h sum(record) as records by topic_name

Can someone help

renjith_nair · ‎08-10-2018

@pswalia06,

Try this

index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w.\/_-]+)\s" | rex field=source ".(?[\w\/_-]+)." 
|timechart span=24h sum(record) as records by topic_name
|untable _time,topic_name,records|sort topic_name,_time
|streamstats last(records) as prev_records  current=f window=1 reset_on_change=true by topic_name|fillnull value=0
|eval perc=((records-prev_records  )/records)*100|fields - records,prev_records  |xyseries _time,sourcetype,perc

---
What goes around comes around. If it helps, hit it with Karma 🙂

In splunk to find percentage difference for each column

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!