Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate percentage increase/reduction

superisk
Explorer
‎01-20-2021 09:25 AM

Hello,

I have calculated my Total Escalations per Quarter using stats count and I would like to include another field to calculate the percentage increase/decrease of Total Escalations per Quarter.

My query -

| inputlookup Case_Database_v2.csv
| rename "Case Number" AS Case_Number
| search Role=Support Squad=*CMS*
| lookup EAS_Escalations_v1.csv "Case Number" AS Case_Number OUTPUTNEW "Case Number"
| rename "Case Number" AS EAS_Case_Number
| eventstats dc(Case_Number) as CaseCount by Quarter
| stats count(EAS_Case_Number) as Total_Escalations by Quarter, CaseCount
| eval EAS_Escalation(Percentage)=round(Distinct_Escalations/CaseCount*100,2)

 

And this shows -

 

   
QuarterCaseCountTotal Escalations
Qtr 1799315
Qtr 2889368
Qtr 3798287
Qtr 4777220

 

I would like to calculate the percentage reduction per quarter, for example,  Qtr 4 Total Escalations of 220 is a 13.5% reduction on the 287 escalations from Qtr 3.

Any help is much appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2021 10:24 AM

Streamstats should do it.

| inputlookup Case_Database_v2.csv
| rename "Case Number" AS Case_Number
| search Role=Support Squad=*CMS*
| lookup EAS_Escalations_v1.csv "Case Number" AS Case_Number OUTPUTNEW "Case Number"
| rename "Case Number" AS EAS_Case_Number
| eventstats dc(Case_Number) as CaseCount by Quarter
| stats count(EAS_Case_Number) as Total_Escalations by Quarter, CaseCount
| eval EAS_Escalation(Percentage)=round(Distinct_Escalations/CaseCount*100,2)
| streamstats window=2 range(Total_Escalations) as Diff
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2021 10:24 AM

Streamstats should do it.

| inputlookup Case_Database_v2.csv
| rename "Case Number" AS Case_Number
| search Role=Support Squad=*CMS*
| lookup EAS_Escalations_v1.csv "Case Number" AS Case_Number OUTPUTNEW "Case Number"
| rename "Case Number" AS EAS_Case_Number
| eventstats dc(Case_Number) as CaseCount by Quarter
| stats count(EAS_Case_Number) as Total_Escalations by Quarter, CaseCount
| eval EAS_Escalation(Percentage)=round(Distinct_Escalations/CaseCount*100,2)
| streamstats window=2 range(Total_Escalations) as Diff
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

superisk
Explorer
‎01-20-2021 11:43 AM

Thank you kindly!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...