Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the difference of two searches

salavilli0611
New Member
‎09-19-2019 10:13 AM

Following is my splunk search :

index=main  "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval  DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval  DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]

Kindly refer to my attachment, I would like to know how I can get the diff in percentage between 2 searches.

Preview file
1 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 01:34 PM

Try this:

index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]
| eval slowincreasepercent=round(slowincreasepercent,2)."%"

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 02:13 PM

| eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"] not working

Error received :
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 02:13 PM

| append [search "rest/bi/applicationStatus" Action_Response_Time>200
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 04:20 PM

Try my new answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 02:12 PM

Getting Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

tried with this as suggested :

index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

0 Karma
Reply

salavilli0611
New Member
‎09-19-2019 10:20 AM

The result I will be getting 2 events - field percentage in row1 and row2
what I want to know , how to diff the field of percentage ( Please refer to my screen for more visibility )

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...