Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I make a search that compares weekly values and shows the percentage difference between fields?

becksyboy
Communicator
‎09-24-2018 05:24 AM

Hi,

I would like to compare 1 week of tabled data to the previous weeks and calculate the percentage difference for each field value for field note_label

Initial search:

 search... | stats count by note_label

 note_label      count
 abc                   10
 abcd           20
 abcde          30

I would like to show the data as:

note_label      count (week1)  count(week2)   %Change
 abc                   10          20                   100%
 abcd                 20          5                     -75%
 abcde          40             60                    50%

I may be following the wrong route as i tried this but had no luck, and may need to use a different method? This search only give me the "note_label" field value names, but not the values.

 earliest=-1w latest=now my_search | stats earliest(note_label) as e_status_label latest(note_label) as l_note_label  | eval 1w=(l_note_label-e_note_label)/e_note_label*100
 | appendcols [ search earliest=-2w latest=now my_search | stats earliest(note_label) as e_note_label latest(note_label) as l_note_label  | eval 2w=(l_note_label-e_note_label)/e_note_label*100 ]
 | fields note_label 1w 2w

thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

becksyboy
Communicator
‎09-25-2018 04:39 AM

I managed to figure it out in the end. I stuck with appendcols and changed my search with eval to calculate the percentage differences;

earliest=-1w latest=now MYSEARCH | rename count AS count_this_week status_label AS Supression_status
| appendcols
[ search earliest=-2w latest=-1wMYSEARCH | rename count AS count_last_week status_label AS Supression_status] | eval change= ((count_this_week - count_last_week)/count_this_week)*100 | eval change=round(change,2) | eval change= change+ " %"|fields Supression_status, count_this_week, count_last_week, change

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

becksyboy
Communicator
‎09-25-2018 04:39 AM

I managed to figure it out in the end. I stuck with appendcols and changed my search with eval to calculate the percentage differences;

earliest=-1w latest=now MYSEARCH | rename count AS count_this_week status_label AS Supression_status
| appendcols
[ search earliest=-2w latest=-1wMYSEARCH | rename count AS count_last_week status_label AS Supression_status] | eval change= ((count_this_week - count_last_week)/count_this_week)*100 | eval change=round(change,2) | eval change= change+ " %"|fields Supression_status, count_this_week, count_last_week, change

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...