Splunk Search

How do you calculate the difference between two specific values in the same field (%) then timechart span=1h for the past 24hrs

johnward4
Communicator

How do you calculate the difference between two specific values in the same field and return that value in a percent format? I then need to be able to timechart that percentage difference over time, for my example this would be

conversion rate % span 1h

I've seen a few eval calculation example but none that gave me the output I'm looking for

index=example event="Entered Site" OR event="Checkout"
| top event
| eval percent = round(percent, 2)
0 Karma
1 Solution

HiroshiSatoh
Champion

Is it like this?

 index=example event="Entered Site" OR event="Checkout"
 | timechart span=1h count(eval(event="Entered Site")) as Entered,count(eval(event="Checkout")) as Checkout
 | eval percent=round(Checkout/Entered,2)
 | table _time,percent

View solution in original post

0 Karma

johnward4
Communicator

alt text

@HiroshiSatoh I'm trying to essentially reproduce the graph below that I have in an application called Mixpanel. I've onboarded the data to Splunk and the field I'm looking to visualization is called "event". In the event there are values called "App Opened" and "Product Checkout Began". I would like to know how you can calculate the % of Product Checkout Began from the total of App Opened and then timechart that % over time. For Example what is my conversion rate % per hour.

0 Karma

HiroshiSatoh
Champion

The answer was corrected.

0 Karma

HiroshiSatoh
Champion

Is it like this?

 index=example event="Entered Site" OR event="Checkout"
 | timechart span=1h count(eval(event="Entered Site")) as Entered,count(eval(event="Checkout")) as Checkout
 | eval percent=round(Checkout/Entered,2)
 | table _time,percent
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...