Solved: How to display the delta value in percentage

akarivaratharaj · ‎04-09-2018

I have a requirement to show the monthly growth percentage of an object. Basically need to find out the growth of an object in percentage when compared to the previous month.Below is the query which I am using

index=main
|timechart span=1mon sum(OBJECT_SIZE_GB) as Size
|delta Size AS Data_Growth p=1

So first I am displaying the total size of my object as "Size" and then displaying the size difference between consecutive months with the help of delta. Below is the sample how the results look like (added '|' for more clarity):

_time | Size | Data_Growth
2018-01 | 2429833.14 |
2018-02 | 2511015.66 | 81182.52
2018-03 | 2571432.37 | 60416.71

Now I need to find the Growth percentage of each month. I am not sure how to achieve this.

Could anyone please help me on this.

somesoni2 · ‎04-09-2018

Try like this

index=main 
|timechart span=1mon sum(OBJECT_SIZE_GB) as Size
|delta Size AS Data_Growth p=1
| eval Perc_Growth=round(Data_Growth*100/(Size-Data_Growth),2)

In denominator, I'm subtracting Data_Growth from current rows Size to get the Size of previous row, so that we can compare how much it grew from previous time span.

View solution in original post

somesoni2 · ‎04-09-2018

Try like this

index=main 
|timechart span=1mon sum(OBJECT_SIZE_GB) as Size
|delta Size AS Data_Growth p=1
| eval Perc_Growth=round(Data_Growth*100/(Size-Data_Growth),2)

In denominator, I'm subtracting Data_Growth from current rows Size to get the Size of previous row, so that we can compare how much it grew from previous time span.

niketn · ‎04-09-2018

@akarivaratharaj, try the following search:

index=main OBJECT_SIZE_GB=*
| timechart span=1mon sum(OBJECT_SIZE_GB) as Size
| delta Size as Delta_Growth
| eval Growth_Perc=round((Delta_Growth/(Size-Delta_Growth))*100,1)
| fillnull value=0 Growth_Perc

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

akarivaratharaj · ‎04-09-2018

@p_gurav & @niketn,

Thanks both for the quick response.

I have tried both the query, I can see there is little difference between both the results. Because one is just dividing the data_growth by total size and multiplying with 100 to get the percentage and the other one is dividing the data_growth by sum of total size & data_growth and then multiplying with 100.

Can I know the difference between both the queries and which gives me the effective/accurate results.

akarivaratharaj · ‎04-09-2018

Actually Data_Growth field is nothing but delta of two consecutive sizes. But why that needs to be added or subtracted to/from Size field.

I am not clear on that part. Can anyone please explain me.

niketn · ‎04-09-2018

@akarivaratharaj, In simple terms if in the month of March Data Volume was 100 GB and in April it became 110 GB, the Data Growth is 10% i.e.

(10/100)*100 or (delta/old value)*100 or (delta/(new value-delta))*100 or (10/(110-10))*100

Where old value=new value - delta

Try the following run any where search on similar lines as per example here:

|  makeresults
|  eval data="Time=\"03/01/2018\",Size=100;Time=\"04/01/2018\",Size=110;"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  KV
|  table Time Size
|  delta Size as deltaGrowth
|  eval percentGrowth=round((deltaGrowth/(Size-deltaGrowth))*100,1)
|  fillnull percentGrowth value=0

Hope it clarifies the math ( I am not good at it myself ;)).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

akarivaratharaj · ‎04-09-2018

Thankyou so much for everyone's help

niketn · ‎04-09-2018

@akarivaratharaj, please accept @somesoni2 's answer. Also up vote all the comments that helped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

akarivaratharaj · ‎04-10-2018

sure!! Thankyou!!

somesoni2 · ‎04-09-2018

Generally when you calculate percent growth (or just growth), so compare what it was (previous value) with what it's now (current value). So, for 2nd row growth, you'd compare the change (Data_Growth) considering value of 1st row as base. Now to value of first row, we're using current value (Size)-change from previous value(Data_Growth) to calculate previous row. If instead of Delta, you'd use streamstats, you'd be doing like this:

index=main 
 |timechart span=1mon sum(OBJECT_SIZE_GB) as Size
| streamstats current=f window=1 values(Size) as previous_Size
| eval Data_Growth=Size-previous_Size
| eval Perc_Growth=round((Size-previous_Size)*100/previous_Size,2)

akarivaratharaj · ‎04-10-2018

I have used streamstats only. Thankyou!

niketn · ‎04-09-2018

@akarivaratharaj, Sorry I did a mistake as pointed out by @somesoni2. I was supposed to do a Size-Delta_Growth to get the previous Size. I have corrected my query. Do try out @somesoni2 's answer and accept the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

p_gurav · ‎04-09-2018

Can you try something like this after your search query:

 | eval Data_Growth=round(abs(Data_Growth/Size)*100,0)

How to display the delta value in percentage

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)