Splunk Search

Calculate the percentage difference of search 1 to search 2?

Builder

Hi

I have two different searches and two different results as follows

Search 1:

index="xyz" ".handleCommitOrder"|xmlkv | timechart count(date_mday) span=1h

Result of search 1:

_time                  count(date_mday)
2015-09-30 09:00              38
2015-09-30 10:00              29
2015-09-30 11:00              57
2015-09-30 12:00              37
2015-09-30 13:00              30

search 2:

index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart count(Order_Number)  span=1h

Result of Search 2:

_time                 count(Order_Number)
2015-09-30 09:00              714
2015-09-30 10:00              813
2015-09-30 11:00              967
2015-09-30 12:00              958
2015-09-30 13:00              110

Now I want to know the percentage difference of search 1 and search 2 and how can I display them in statistical result?

Is it possible in Splunk ?
Please help

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You could run this:

  index="xyz" ".handleCommitOrder"|xmlkv | timechart span=1h count as commits
| appendcols [search index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart span=1h count as orders]
| eval percentage = commits / orders * 100

Not sure what exact calculation you want between the two, just adapt the eval to your needs.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You could run this:

  index="xyz" ".handleCommitOrder"|xmlkv | timechart span=1h count as commits
| appendcols [search index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart span=1h count as orders]
| eval percentage = commits / orders * 100

Not sure what exact calculation you want between the two, just adapt the eval to your needs.

View solution in original post

0 Karma

Builder

Thanks it worked but taking too much time for parsing the search

0 Karma

SplunkTrust
SplunkTrust

That's the time taken to run the subsearch.

0 Karma