Calculate Percentage Difference Between Two Search...

albyva · ‎07-17-2013

When running a single search on bandwidth data I can calculate the percentage between bandwidth In and Out using this eval fucntion:

| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | table percent_difference _time

What I want to do is calculate the percentage change between bandwidth over a 5/minute time span. For example, lets assume I'm seeing 100/mbps of bandwidth at 12:00p Noon and at 12:05p the bandwidth jumps to 125/mbps. How can I calculate the 25% increase in bandwidth between those two timespans/searches?

albyva · ‎07-17-2013

Wonderful. Thanks for the | bucket command tip.

aholzer · ‎07-17-2013

Like @linu1988 points out, you can use the bucket command to get the values for every 5 mins, then you can use the delta command to calculate the difference between two adjacent events.

Your search would look like:
| bucket _time span=5m| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | delta percent_difference as delta_percent | table _time, percent_difference, delta_percent

Here's the documentation on delta: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Delta

linu1988 · ‎07-17-2013

Could you please give the below query a try:

|bucket _time span=5m| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | table percent_difference ,_time

Thanks

Calculate Percentage Difference Between Two Searches

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...