Splunk Search

Suggestions on calculating reduction rates over a period of time

New Member

I am new to Splunk and need guidance on writing a generic search that will give me the percent increase over a two month period. For example, let's say my event data has the following fields:

page="foo.html", successrate=99.0, _time=2014-12-01
page="foo.html", success
rate=99.5, time=2014-11-01
page="bar.html", success
rate=100, time=2014-12-01
page="bar.html", success
rate=100, _time=2014-11-01

I would like my results to be:

Page Name | Success Rate Change
foo.html | -0.5
bar.html | 0


Here is another example:

Events
page="foo.html", responsetime=40, _time=2014-11-1
page="foo.html", response
time=50, time=2014-12-1
page="bar.html", response
time=3, time=2014-11-1
page="bar.html", response
time=1, _time=2014-12-1

Desired Results
Page | Response Time Percent Increase
foo.html | 25
bar.html | -66.66

This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.

I've gotten this to work with the follow query:

| eval month=strftime(_time,"%b") | chart avg(success_rate) by page, month
| convert num("Dec") as dec_res num("Nov") as nov_res
| eval rs_diff = (((dec_res / nov_res) * 100) - 100)
| table page rs_diff

However, this is not very flexible as I have to get the column by the month's name. This will only work for a month and then I have to change it.

How can I get the same results without using hard-coded values?

Tags (3)
0 Karma

Builder

use "delta" command for the difference in the current Vs previous value for the given parameter.

Refer for more details : http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta

E.g: For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff.

... | delta count AS countdiff

0 Karma

New Member

Thanks for your response jayannah!

You actually made me realize my example is misleading. Since success rate is already a percentage, your suggestion is completely valid.

I am trying to create a search that will give me all events that's greater than a specific percentage (percent increase). For example, if I have a web page in which the response time has grown more than 10% in the past month, I want to know.

Let me give you a better example, let's use response time instead of success rate.

Events
page="foo.html", responsetime=40, _time=2014-11-1
page="foo.html", response
time=50, time=2014-12-1
page="bar.html", response
time=3, time=2014-11-1
page="bar.html", response
time=1, _time=2014-12-1

Desired Results
Page | Response Time Percent Increase
foo.html | 25
bar.html | -66.66

This shows foo.html's response time grew 25% and bar.html's reduced 66% from Nov to Dec.

Any help is appreciated!

0 Karma

Builder

The below line will add new field previousresponsetime with value of response_time of previous event.

| streamstats current=f last(responsetime) as previousresponse_time

Then, the below query gives you the % you want..

eval Percchange= ((responsetime - previousresponsetime) /previousresponsetime * 100)

Hope this helps..

0 Karma