Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate percentage deviation

MousumiChowdhur
Contributor
‎12-08-2017 12:39 AM

Hi,

I have logs which looks similar to the sample data attached. In my current scenario I have 30 days hourly data for each of the 9 nodes i.e., "msc "and 303 KPIs i.e., "never" in the sample log. I want to calculate the %deviation of the KPIs i.e., never_* for the latest day from the average of last 30 days. I could calculate the deviation with the below logic but unable to structure the logic to calculate the %deviation. Kindly suggest if my logic is correct to calculate deviation:

index=<indexname> | stats avg(never_*) as avg_* latest(never_*) as values_* by date_hour, msc | foreach values_* [eval deviation_<<MATCHSTR>>=abs(avg_<<MATCHSTR>>-<<FIELD>>] | table date_hour msc deviation_* | stats avg(deviation_*) as avg_dev_* by msc | eval total_avg_dev=0 | foreach avg_dev_* [eval total_avg_dev=<<FIELD>>+total_avg_dev] | eval avg_avg_dev=total_avg_dev/303 | table msc avg_avg_dev | sort - avg_avg_dev | rename avg_avg_dev as deviation | head 10

If this correct then, how should I calculate the percentage deviation in this case?

Preview file
78 KB
Reply

mayurr98
Super Champion
‎12-08-2017 02:38 AM

Try This:

index=<your_index>
| stats avg(never*) AS avg_never* latest(never*) AS current_never* by hour, msc_name
| foreach current_* [eval pct_deviation_<<MATCHSTR>>=abs(<<FIELD>>-avg_<<MATCHSTR>>)*100/avg_<<MATCHSTR>>]
| table hour msc_name pct_deviation_*
| stats avg(pct_deviation_*) AS avg_pctdeviation_* by msc_name | addtotals| eval avg=Total/5 | fields msc_name avg
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...