How to calculate percent change over selectable ti...

tkwaller_2 · ‎07-18-2024

Hello

I'd like to create a single value viz that displays the percent change from a pint in time to now. Basically, I have a dashboard that has a panel that simply counts the number of records in the given timerange. The time is a simple time picker and the base search is a simple:

index=myindex | stats count

I would like to add a panel, maybe single viz, that shows a percent change. For example, if the default is "Last 24 hours" I would like to show the count of the last 24 hours and the percent change from the previous 24 hours. Additionally, if the user selected "Last 7 days" i would like it to give the count of the last 7 days and the percent change from 7 days before that.

Thanks for the help

yuanliu · ‎07-18-2024

Make your selector token "24hour", "7day", etc. Let's call it $span_tok$. This should do.

index=myindex earliest=-$span_tok$-$span_tok$
| timechart span=$span_tok$ count
| streamstats delta(count) as pct_change
| eval pct_change = pct_change / (count - pct_change) * 100

The idea is simple, look back 2x $span_tok$, then calculate delta on the go.

How to calculate percent change over selectable timerange

count

stats

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation