How to calculate the percentage increase (or decre...

onthakur · ‎06-01-2022

Team,

I have below timechart which is counting http error/success codes for a span of 1hr.

Now I need to calculate the percentage increase (or decrease) in each error/success code based on previous hour.

_time	200	4xx errors	5xx errors
2022-05-23 00:00	100	20	30
2022-05-23 01:00	200	30	30
2022-05-23 02:00	250	50	60
2022-05-23 03:00	300	30	50
2022-05-23 04:00	350	40	40
2022-05-23 05:00	400	60	60
2022-05-23 06:00	500	80	80

somesoni2 · ‎06-01-2022

Try this generic search (will work with any status)

Your current search with timechart
| streamstats current=f window=1 values(*) as prev_*
| foreach prev_* [| eval "PercChange_<<MATCHSTR>>" =round(('<<MATCHSTR>>'-'<<FIELD>>')*100/'<<FIELD>>',2)]

ITWhisperer · ‎06-01-2022

Try something like this

| streamstats current=f window=1 latest('200') as previous_200 latest('4xx errors') as previous_4xx_errors latest('5xx errors') as previous_5xx_errors
| eval 200increase = 100 * '200' / previous_200 - 100
| eval 4xxincrease = 100 * '4xx errors' / previous_4xx_errors - 100
| eval 5xxincrease = 100 * '5xx errors' / previous_5xx_errors - 100

How to calculate the percentage increase (or decrease) in each error/success code based on previous hour?

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation