Re: How to calculate the percentage increase (or d...

onthakur · ‎06-01-2022

Team,

I have below timechart which is counting http error/success codes for a span of 1hr.

Now I need to calculate the percentage increase (or decrease) in each error/success code based on previous hour.

_time	200	4xx errors	5xx errors
2022-05-23 00:00	100	20	30
2022-05-23 01:00	200	30	30
2022-05-23 02:00	250	50	60
2022-05-23 03:00	300	30	50
2022-05-23 04:00	350	40	40
2022-05-23 05:00	400	60	60
2022-05-23 06:00	500	80	80

somesoni2 · ‎06-01-2022

Try this generic search (will work with any status)

Your current search with timechart
| streamstats current=f window=1 values(*) as prev_*
| foreach prev_* [| eval "PercChange_<<MATCHSTR>>" =round(('<<MATCHSTR>>'-'<<FIELD>>')*100/'<<FIELD>>',2)]

ITWhisperer · ‎06-01-2022

Try something like this

| streamstats current=f window=1 latest('200') as previous_200 latest('4xx errors') as previous_4xx_errors latest('5xx errors') as previous_5xx_errors
| eval 200increase = 100 * '200' / previous_200 - 100
| eval 4xxincrease = 100 * '4xx errors' / previous_4xx_errors - 100
| eval 5xxincrease = 100 * '5xx errors' / previous_5xx_errors - 100

How to calculate the percentage increase (or decrease) in each error/success code based on previous hour?

stats

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

How to calculate the percentage increase (or decrease) in each error/success code based on previous hour?

stats

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience