How to calculate percent change over selectable ti...

tkwaller_2 · ‎07-18-2024

Hello

I'd like to create a single value viz that displays the percent change from a pint in time to now. Basically, I have a dashboard that has a panel that simply counts the number of records in the given timerange. The time is a simple time picker and the base search is a simple:

index=myindex | stats count

I would like to add a panel, maybe single viz, that shows a percent change. For example, if the default is "Last 24 hours" I would like to show the count of the last 24 hours and the percent change from the previous 24 hours. Additionally, if the user selected "Last 7 days" i would like it to give the count of the last 7 days and the percent change from 7 days before that.

Thanks for the help

yuanliu · ‎07-18-2024

Make your selector token "24hour", "7day", etc. Let's call it $span_tok$. This should do.

index=myindex earliest=-$span_tok$-$span_tok$
| timechart span=$span_tok$ count
| streamstats delta(count) as pct_change
| eval pct_change = pct_change / (count - pct_change) * 100

The idea is simple, look back 2x $span_tok$, then calculate delta on the go.

How to calculate percent change over selectable timerange

count

stats

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...