How to calculate percent change over selectable ti...

tkwaller_2 · ‎07-18-2024

Hello

I'd like to create a single value viz that displays the percent change from a pint in time to now. Basically, I have a dashboard that has a panel that simply counts the number of records in the given timerange. The time is a simple time picker and the base search is a simple:

index=myindex | stats count

I would like to add a panel, maybe single viz, that shows a percent change. For example, if the default is "Last 24 hours" I would like to show the count of the last 24 hours and the percent change from the previous 24 hours. Additionally, if the user selected "Last 7 days" i would like it to give the count of the last 7 days and the percent change from 7 days before that.

Thanks for the help

yuanliu · ‎07-18-2024

Make your selector token "24hour", "7day", etc. Let's call it $span_tok$. This should do.

index=myindex earliest=-$span_tok$-$span_tok$
| timechart span=$span_tok$ count
| streamstats delta(count) as pct_change
| eval pct_change = pct_change / (count - pct_change) * 100

The idea is simple, look back 2x $span_tok$, then calculate delta on the go.

How to calculate percent change over selectable timerange

count

stats

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?