Solved: Difference between count of events grouped by host...

Haleb · ‎02-09-2024

I have the following SPL search.

index="cloudflare"
| top ClientRequestPath by ClientRequestHost
| eval percent = round(percent,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

Wich give me this result. I also need to group it by 10m time range and calculate the difference in percents between 2 previous time ranges for every line. Help me figure out how do that, thx.

ITWhisperer · ‎02-09-2024

You may need to go back to basics to get your time buckets it. Start with something like this

index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

View solution in original post

ITWhisperer · ‎02-09-2024

You may need to go back to basics to get your time buckets it. Start with something like this

index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

Difference between count of events grouped by host and path for 2 last 10m time ranges

chart

eval

stats

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...