How to calculate percent change over selectable ti...

tkwaller_2 · ‎07-18-2024

Hello

I'd like to create a single value viz that displays the percent change from a pint in time to now. Basically, I have a dashboard that has a panel that simply counts the number of records in the given timerange. The time is a simple time picker and the base search is a simple:

index=myindex | stats count

I would like to add a panel, maybe single viz, that shows a percent change. For example, if the default is "Last 24 hours" I would like to show the count of the last 24 hours and the percent change from the previous 24 hours. Additionally, if the user selected "Last 7 days" i would like it to give the count of the last 7 days and the percent change from 7 days before that.

Thanks for the help

yuanliu · ‎07-18-2024

Make your selector token "24hour", "7day", etc. Let's call it $span_tok$. This should do.

index=myindex earliest=-$span_tok$-$span_tok$
| timechart span=$span_tok$ count
| streamstats delta(count) as pct_change
| eval pct_change = pct_change / (count - pct_change) * 100

The idea is simple, look back 2x $span_tok$, then calculate delta on the go.

How to calculate percent change over selectable timerange

count

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation