Re: How to calculate the difference of two searche...

salavilli0611 · ‎09-19-2019

Following is my splunk search :

index=main  "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval  DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval  DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]

Kindly refer to my attachment, I would like to know how I can get the diff in percentage between 2 searches.

richgalloway · ‎09-19-2019

Try this:

index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]
| eval slowincreasepercent=round(slowincreasepercent,2)."%"

---
If this reply helps you, Karma would be appreciated.

salavilli0611 · ‎09-19-2019

| eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"] not working

Error received :
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

salavilli0611 · ‎09-19-2019

| append [search "rest/bi/applicationStatus" Action_Response_Time>200
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

richgalloway · ‎09-19-2019

Try my new answer.

---
If this reply helps you, Karma would be appreciated.

salavilli0611 · ‎09-19-2019

Getting Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

tried with this as suggested :

index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

salavilli0611 · ‎09-19-2019

The result I will be getting 2 events - field percentage in row1 and row2
what I want to know , how to diff the field of percentage ( Please refer to my screen for more visibility )

How to calculate the difference of two searches

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7