Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the difference of two searches

salavilli0611
New Member
‎09-19-2019 10:13 AM

Following is my splunk search :

index=main  "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval  DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval  DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]

Kindly refer to my attachment, I would like to know how I can get the diff in percentage between 2 searches.

Preview file
1 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 01:34 PM

Try this:

index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]
| eval slowincreasepercent=round(slowincreasepercent,2)."%"

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 02:13 PM

| eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"] not working

Error received :
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 02:13 PM

| append [search "rest/bi/applicationStatus" Action_Response_Time>200
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 04:20 PM

Try my new answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 02:12 PM

Getting Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

tried with this as suggested :

index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 10:20 AM

The result I will be getting 2 events - field percentage in row1 and row2
what I want to know , how to diff the field of percentage ( Please refer to my screen for more visibility )

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...