Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Day to day % Difference

allansneddon
Explorer
‎04-25-2017 01:22 AM

Hi guys,

I create daily reports with various data on that we collect, and i am now looking to add a few extra bits of information that will be useful to the team.
I am looking to create a chart that show the % difference from the today's data against the data received the day before. For example if we received 100 events yesterday and 200 today it shows an increase of 100%. Any help would be very much appreciated.

Cheers,

Allan

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-25-2017 06:58 AM

Ideally, streamstats should be used for this (depending upon what is your current search). However, delta can be used if you query is a simple scenario like a timechart being plotted for daily span. The delta command will give you the difference of count in the current row with previous row. This way you will have a way to identify what was the previous day's total. See the following run anywhere search based on Splunk's _internal index.

index=_internal sourcetype="splunkd" log_level="WARN"
| timechart span=1d count
| delta count as Delta
| fillnull value=0 Delta
| eval Total=count-Delta
| eval percIncrDecr=(Delta/Total)*100
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-25-2017 06:58 AM

Ideally, streamstats should be used for this (depending upon what is your current search). However, delta can be used if you query is a simple scenario like a timechart being plotted for daily span. The delta command will give you the difference of count in the current row with previous row. This way you will have a way to identify what was the previous day's total. See the following run anywhere search based on Splunk's _internal index.

index=_internal sourcetype="splunkd" log_level="WARN"
| timechart span=1d count
| delta count as Delta
| fillnull value=0 Delta
| eval Total=count-Delta
| eval percIncrDecr=(Delta/Total)*100
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

allansneddon
Explorer
‎04-26-2017 12:56 AM

This works, thank you so much!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-27-2017 07:14 AM

Great Cheers!!! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...