- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Suggestions on calculating reduction rates over a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suggestions on calculating reduction rates over a period of time
I am new to Splunk and need guidance on writing a generic search that will give me the percent increase over a two month period. For example, let's say my event data has the following fields:
page="foo.html", success_rate=99.0, _time=2014-12-01
page="foo.html", success_rate=99.5, _time=2014-11-01
page="bar.html", success_rate=100, _time=2014-12-01
page="bar.html", success_rate=100, _time=2014-11-01
I would like my results to be:
Page Name | Success Rate Change
foo.html | -0.5
bar.html | 0
Here is another example:
Events
page="foo.html", response_time=40, _time=2014-11-1
page="foo.html", response_time=50, _time=2014-12-1
page="bar.html", response_time=3, _time=2014-11-1
page="bar.html", response_time=1, _time=2014-12-1
Desired Results
Page | Response Time Percent Increase
foo.html | 25
bar.html | -66.66
This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.
I've gotten this to work with the follow query:
| eval month=strftime(_time,"%b") | chart avg(success_rate) by page, month
| convert num("Dec") as dec_res num("Nov") as nov_res
| eval rs_diff = (((dec_res / nov_res) * 100) - 100)
| table page rs_diff
However, this is not very flexible as I have to get the column by the month's name. This will only work for a month and then I have to change it.
How can I get the same results without using hard-coded values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use "delta" command for the difference in the current Vs previous value for the given parameter.
Refer for more details : http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta
E.g: For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff.
... | delta count AS countdiff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response jayannah!
You actually made me realize my example is misleading. Since success rate is already a percentage, your suggestion is completely valid.
I am trying to create a search that will give me all events that's greater than a specific percentage (percent increase). For example, if I have a web page in which the response time has grown more than 10% in the past month, I want to know.
Let me give you a better example, let's use response time instead of success rate.
Events
page="foo.html", response_time=40, _time=2014-11-1
page="foo.html", response_time=50, _time=2014-12-1
page="bar.html", response_time=3, _time=2014-11-1
page="bar.html", response_time=1, _time=2014-12-1
Desired Results
Page | Response Time Percent Increase
foo.html | 25
bar.html | -66.66
This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.
Any help is appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The below line will add new field previous_response_time with value of response_time of previous event.
| streamstats current=f last(response_time) as previous_response_time
Then, the below query gives you the % you want..
eval Perc_change= ((response_time - previous_response_time) /previous_response_time * 100)
Hope this helps..
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
