How to include percentage change to Last Week / Pr...

mreid2005 · ‎03-09-2022

Hi,

Long time reader, first time poster. I've cobbled together this query that generates a count by status for last week, and the week before, I would like to add a PercentageChange Column.

index="my_index" container_label=my_notables container_update_time!=null earliest=-14d@w0 latest=@w0
| fields id, status, container_update_time 
| eval Time=strftime(_time,"%m/%d/%Y %l:%M:%S %p")
| eval container_update_time_epoch = strptime(container_update_time, "%FT%T.%5N%Z")
| sort 0 -container_update_time 
| dedup id 
| eval status=case((status="dismissed"), "Dismissed (FP)",(status="resolved"), "Resolved (TP)",true(), "Other") 
| eval marker=if(relative_time(now(),"-7d@w0")<container_update_time_epoch,"WeekReporting", "PriorWeek")
| eval _time=if(relative_time(now(),"-7d@w0")<container_update_time,container_update_time_epoch, container_update_time_epoch+60*60*24*7)
| chart count by status marker

I know I need to incorporate the following eval somehow, just not sure how to tie it all together to get it to show up in the format shown above.

| eval PercentChange= if(PriorWeek!=0,(WeekReporting-PriorWeek)/PriorWeek*100,WeekReporting*100)

I'll be honest I'm not sure If I still need the final eval, so any other suggestions that will make this more efficient I'll gladly accept.

I appreciate any and all tips or help to make this work.

Cheers,
Michael

somesoni2 · ‎03-09-2022

Just add that eval at the end of your current search (after chart command).

How to include percentage change to Last Week / Prior Week Chart (table)

chart

eval

fields

stats

table

timechart

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform