Solved: Difference between count of events grouped by host...

Haleb · ‎02-09-2024

I have the following SPL search.

index="cloudflare"
| top ClientRequestPath by ClientRequestHost
| eval percent = round(percent,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

Wich give me this result. I also need to group it by 10m time range and calculate the difference in percents between 2 previous time ranges for every line. Help me figure out how do that, thx.

ITWhisperer · ‎02-09-2024

You may need to go back to basics to get your time buckets it. Start with something like this

index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

View solution in original post

ITWhisperer · ‎02-09-2024

You may need to go back to basics to get your time buckets it. Start with something like this

index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

Difference between count of events grouped by host and path for 2 last 10m time ranges

chart

eval

stats

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud