How to create a search that calculates the percent...

MarianaPereira · ‎06-03-2020

Hello!!!

I need to calculate the percentage between the rows in my table, like this, for example:

Search:

| bucket span=10m _time
| stats count by _time

Result:

    _time                  count
1   2020-06-03 16:10:00 27656974
2   2020-06-03 16:20:00 68834318
3   2020-06-03 16:30:00 68160616
4   2020-06-03 16:40:00 67655028
5   2020-06-03 16:50:00 66023251
6   2020-06-03 17:00:00 65418711
7   2020-06-03 17:10:00 36918173

How can I calculate perc1=row2/row1, perc2=row3/row2, and so on?

gcusello · ‎06-03-2020

Hi @MarianaPereira,
you can use delta and eval commans:

your_search
| bucket span=10m _time
| stats count by _time
| delta count AS diff
| eval prev=diff-count, perc=count/prev*100
| table _time count perc

Ciao.
Giuseppe

jrceja313 · ‎06-03-2020

I would recommend looking into autoregress.

You could also look into streamstats or eventstats
This may be helpful.
https://answers.splunk.com/answers/310189/is-it-possible-to-autoregress-by-unique-site.html

How to create a search that calculates the percentage between two rows?

stats

table

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?