Splunk Search
Highlighted

How to calculate the difference of two searches

New Member

Following is my splunk search :

index=main  "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h
| eval  DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" Action_Response_Time>1
| eval  DBCount =if(_time>relative_time(now(),"-45m") , "CurrentCount","PreviousCount") 
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]

Kindly refer to my attachment, I would like to know how I can get the diff in percentage between 2 searches.

0 Karma
Highlighted

Re: How to calculate the difference of two searches

New Member

The result I will be getting 2 events - field percentage in row1 and row2
what I want to know , how to diff the field of percentage ( Please refer to my screen for more visibility )

0 Karma
Highlighted

Re: How to calculate the difference of two searches

SplunkTrust
SplunkTrust

Try this:

index=main "rest/bi/applicationStatus" ActionResponseTime>1 earliest=-1h
| eval DBCount =if(time>relativetime(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" ActionResponseTime>1
| eval DBCount =if(time>relativetime(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100]
| eval slowincreasepercent=round(slowincreasepercent,2)."%"

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to calculate the difference of two searches

New Member

Getting Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

tried with this as suggested :

index=main "rest/bi/applicationStatus" ActionResponseTime>1 earliest=-1h
| eval DBCount =if(time>relativetime(now(),"-15m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent=((CurrentCount-PreviousCount)/PreviousCount)*100

| append [search "rest/bi/applicationStatus" ActionResponseTime>1
| eval DBCount =if(time>relativetime(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

0 Karma
Highlighted

Re: How to calculate the difference of two searches

New Member

| eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"] not working

Error received :
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Highlighted

Re: How to calculate the difference of two searches

New Member

| append [search "rest/bi/applicationStatus" ActionResponseTime>200
| eval DBCount =if(time>relativetime(now(),"-45m") , "CurrentCount","PreviousCount")
| chart count over Action_Name by DBCount | eval slowincreasepercent = round(((CurrentCount-PreviousCount)/PreviousCount)*100),2)."%"]

0 Karma
Highlighted

Re: How to calculate the difference of two searches

SplunkTrust
SplunkTrust

Try my new answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma