Splunk Search

Suggestions on calculating reduction rates over a period of time

jjones31
New Member

I am new to Splunk and need guidance on writing a generic search that will give me the percent increase over a two month period. For example, let's say my event data has the following fields:

page="foo.html", success_rate=99.0, _time=2014-12-01
page="foo.html", success_rate=99.5, _time=2014-11-01
page="bar.html", success_rate=100, _time=2014-12-01
page="bar.html", success_rate=100, _time=2014-11-01

I would like my results to be:

Page Name | Success Rate Change
foo.html | -0.5
bar.html | 0


Here is another example:

Events
page="foo.html", response_time=40, _time=2014-11-1
page="foo.html", response_time=50, _time=2014-12-1
page="bar.html", response_time=3, _time=2014-11-1
page="bar.html", response_time=1, _time=2014-12-1

Desired Results
Page | Response Time Percent Increase
foo.html | 25
bar.html | -66.66

This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.

I've gotten this to work with the follow query:

| eval month=strftime(_time,"%b") | chart avg(success_rate) by page, month
| convert num("Dec") as dec_res num("Nov") as nov_res
| eval rs_diff = (((dec_res / nov_res) * 100) - 100)
| table page rs_diff

However, this is not very flexible as I have to get the column by the month's name. This will only work for a month and then I have to change it.

How can I get the same results without using hard-coded values?

Tags (3)
0 Karma

jayannah
Builder

use "delta" command for the difference in the current Vs previous value for the given parameter.

Refer for more details : http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta

E.g: For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff.

... | delta count AS countdiff

0 Karma

jjones31
New Member

Thanks for your response jayannah!

You actually made me realize my example is misleading. Since success rate is already a percentage, your suggestion is completely valid.

I am trying to create a search that will give me all events that's greater than a specific percentage (percent increase). For example, if I have a web page in which the response time has grown more than 10% in the past month, I want to know.

Let me give you a better example, let's use response time instead of success rate.

Events
page="foo.html", response_time=40, _time=2014-11-1
page="foo.html", response_time=50, _time=2014-12-1
page="bar.html", response_time=3, _time=2014-11-1
page="bar.html", response_time=1, _time=2014-12-1

Desired Results
Page | Response Time Percent Increase
foo.html | 25
bar.html | -66.66

This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.

Any help is appreciated!

0 Karma

jayannah
Builder

The below line will add new field previous_response_time with value of response_time of previous event.

| streamstats current=f last(response_time) as previous_response_time

Then, the below query gives you the % you want..

eval Perc_change= ((response_time - previous_response_time) /previous_response_time * 100)

Hope this helps..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...