Solved: Difference between count of events grouped by host...

Haleb · ‎02-09-2024

I have the following SPL search.

index="cloudflare"
| top ClientRequestPath by ClientRequestHost
| eval percent = round(percent,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

Wich give me this result. I also need to group it by 10m time range and calculate the difference in percents between 2 previous time ranges for every line. Help me figure out how do that, thx.
Screenshot 2024-02-09 153030.png

ITWhisperer · ‎02-09-2024

You may need to go back to basics to get your time buckets it. Start with something like this

index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

View solution in original post

ITWhisperer · ‎02-09-2024

You may need to go back to basics to get your time buckets it. Start with something like this

index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"

Difference between count of events grouped by host and path for 2 last 10m time ranges

chart

eval

stats

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)