So a quick and dirty one.
If I have a search that gives me a daily summary of the bytes downloaded by web users:
sourcetype="web_logs" | timechart span=1d sum(sc_bytes) AS "Daily Traffic (Bytes)"
What would be the best way to compare two successive days and give a % increase/decrease value? e.g.
_time Daily Traffic perc_diff
8/9/11 12:00:00.000 AM 318606425 0
8/10/11 12:00:00.000 AM 66560892 -79.10
8/11/11 12:00:00.000 AM 2987269232 4388.02
8/12/11 12:00:00.000 AM 7981047 -99.73
8/13/11 12:00:00.000 AM 160388640 1909.61
8/14/11 12:00:00.000 AM 52523918 -67.25
Hope someone can help.. I have Splunkers block ![]()
Hi R.Turk,
I think you should be succesful using bucket, delta and eval. Use bucket to group the results into daily sets, stats to calculate the daily sum, delta to calculate the change and eval to get the percentage.
...|bucket _time span=1d | stats sum(sc_bytes) as sc_bytes_daily by _time |delta sc_bytes_daily as change |eval change_percent=change/(sc_bytes_daily-change)*100 |timechart span=1d first(sc_bytes_daily) AS "Daily traffic (bytes)", first(change_percent) AS "Change (%)"
HTH
Hi R.Turk,
I think you should be succesful using bucket, delta and eval. Use bucket to group the results into daily sets, stats to calculate the daily sum, delta to calculate the change and eval to get the percentage.
...|bucket _time span=1d | stats sum(sc_bytes) as sc_bytes_daily by _time |delta sc_bytes_daily as change |eval change_percent=change/(sc_bytes_daily-change)*100 |timechart span=1d first(sc_bytes_daily) AS "Daily traffic (bytes)", first(change_percent) AS "Change (%)"
HTH
Well done! I was playing with an alternate solution, but not using bucket - noticed that bucket reduced the memory used during the search by a factor of 3 in my case. The job runtimes were similar for both searches. K.
:blush: You noticed! Yep, I did some testing with 5m buckets.
And yes, I'll be there. Looking forward to that beer! ![]()
Thanks echalex! That's exactly what I was after! I was going to ask you why the 5 minute spans, but you edited it
If you're heading to .conf2012, I'll be sure to buy you a beer ![]()