Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Delta in percentage between columns in a report

cafissimo
Communicator
‎04-03-2013 06:47 AM

Hello,
I have this search (executed over last 7 days):

sourcetype=access_* action=purchase | bucket _time span=1d | convert ctime(_time) timeformat="%m/%d" | chart sum(price) as sales over productId by _time

that is returning me a table having dates as columns name and productId as rows.
I can't find out how to caluclate the difference between columns of the report (for example, the first column, that is the first day, and the last column=last day).

Thanks in advance and best regards.

Tags (3)
Reply

bmacias84
Champion
‎04-03-2013 10:42 AM

I think you want autoregress and stats command.



#Should be shorted by productId then by time. Becarefull of short order. This should give you the delta.

sourcetype=access_* action=purchase | bucket _time span=1d | convert ctime(_time) timeformat="%m/%d" | stats sum(price) as sales by productId ,_time |autoregress productId as preproductId | autoregress sales as presales | eval chg_in_sales=(sales-presales)| eval chg_in_sales=if(productId==preproductId,chg_in_sales,null()| table _time,productId,sales,chg_in_sales

If you want to a percentage of total sales by productId I might consider doing a subsearch with join and filldown. I am also doing this off the cuff so you may need a fields and sort command before the first autoregress.

Check out my other post.

line-chart-cumulative-counters-by-host

Hope this helps are gets you started. Dont forget to vote up and/or accept answers.

Cheers,

0 Karma
Reply

cafissimo
Communicator
‎04-05-2013 07:34 AM

Hello,
I have solved my issue in this way:

1) I populate a summary index every hour with this search:
ourcetype=access_* action=purchase earliest=-7d@d latest=@d | bucket _time span=1d | stats sum(price) by _time productId

2) I have created a search with many join commands to get final results...

Thank you bmacias84.

0 Karma
Reply

gfuente
Motivator
‎04-03-2013 07:02 AM

Hello

Maybe you could use traspose command to switch rows and columns, and then use delta command to calculate the difference between each row.

Regards

0 Karma
Reply

cafissimo
Communicator
‎04-03-2013 08:43 AM

Thank you,
but I think your solution cannot be applied.
I need to keep dates as column names (example: "3/21", "3/22", "3/23") and I want to add a final column that is the difference in percentage between the first and last column (in the example the differences between values under "3/21" and "3/23").
Kind regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...