Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Percentage difference between two successive events as a new field

rturk
Builder
‎09-04-2012 04:37 AM

So a quick and dirty one.

If I have a search that gives me a daily summary of the bytes downloaded by web users:

sourcetype="web_logs" | timechart span=1d sum(sc_bytes) AS "Daily Traffic (Bytes)"

What would be the best way to compare two successive days and give a % increase/decrease value? e.g.

_time                      Daily Traffic    perc_diff
8/9/11  12:00:00.000 AM    318606425        0
8/10/11 12:00:00.000 AM    66560892         -79.10
8/11/11 12:00:00.000 AM    2987269232       4388.02
8/12/11 12:00:00.000 AM    7981047          -99.73
8/13/11 12:00:00.000 AM    160388640        1909.61 
8/14/11 12:00:00.000 AM    52523918         -67.25

Hope someone can help.. I have Splunkers block 😛

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

echalex
Builder
‎09-04-2012 05:51 AM

Hi R.Turk,

I think you should be succesful using bucket, delta and eval. Use bucket to group the results into daily sets, stats to calculate the daily sum, delta to calculate the change and eval to get the percentage.

...|bucket _time span=1d | stats sum(sc_bytes) as sc_bytes_daily by _time |delta sc_bytes_daily as change |eval change_percent=change/(sc_bytes_daily-change)*100 |timechart span=1d  first(sc_bytes_daily) AS "Daily traffic (bytes)", first(change_percent) AS "Change (%)"

HTH

View solution in original post

Reply
Solved! Jump to solution
Solution

echalex
Builder
‎09-04-2012 05:51 AM

Hi R.Turk,

I think you should be succesful using bucket, delta and eval. Use bucket to group the results into daily sets, stats to calculate the daily sum, delta to calculate the change and eval to get the percentage.

...|bucket _time span=1d | stats sum(sc_bytes) as sc_bytes_daily by _time |delta sc_bytes_daily as change |eval change_percent=change/(sc_bytes_daily-change)*100 |timechart span=1d  first(sc_bytes_daily) AS "Daily traffic (bytes)", first(change_percent) AS "Change (%)"

HTH

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-04-2012 06:44 AM

Well done! I was playing with an alternate solution, but not using bucket - noticed that bucket reduced the memory used during the search by a factor of 3 in my case. The job runtimes were similar for both searches. K.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎09-04-2012 06:01 AM

:blush: You noticed! Yep, I did some testing with 5m buckets.

And yes, I'll be there. Looking forward to that beer! 🙂

0 Karma
Reply
Solved! Jump to solution

rturk
Builder
‎09-04-2012 05:56 AM

Thanks echalex! That's exactly what I was after! I was going to ask you why the 5 minute spans, but you edited it 🙂 If you're heading to .conf2012, I'll be sure to buy you a beer 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...