Solved: Re: Why is the chart only valuing 15% above calcul...

fisuser1 · ‎08-25-2018

I've created a chart that only shows run times above a 60 day average and it's corresponding average, which works perfectly. However, now my users are looking to narrow these to occurrences that are 15% and higher than said average, evidently it's too difficult to look at the numbers I am already presenting. Any suggestions based on my existing search I have working?

index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
| strcat firm_name " - Firm Number:  " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| where duration_minutes > avg_time 
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown"))))))) 
| chart values(duration_minutes) as run_time by Firm date_wday_new 
| appendcols 
    [ search index=global_foo sourcetype=prd_global_bar_log firm_name="*" start_time="*" firm_number="*"
    | stats avg(duration_minutes) as Average by firm_name]

renjith_nair · ‎08-25-2018

@fisuser1,
If you just want to calculate the percentage, try this

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15 
|"other searche terms"

Happy Splunking!

View solution in original post

renjith_nair · ‎08-25-2018

@fisuser1,
If you just want to calculate the percentage, try this

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d 
| eventstats avg(duration_minutes) as avg_time by Firm
| perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15 
|"other searche terms"

Happy Splunking!

fisuser1 · ‎08-26-2018

this worked, thank you. @renjith.nair, please copy your suggestion into the answers section, I will so you get credit.

Here's the final result.

index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| eval date_wday_new=if(date_wday="sunday","1. Sunday",if(date_wday="monday","2. Monday",if(date_wday="tuesday","3. Tuesday",if(date_wday="wednesday","4. Wednesday",if(date_wday="thursday","5. Thursday",if(date_wday="friday","6. Friday",if(date_wday="saturday","7. Saturday","unknown")))))))
| chart values(duration_minutes) as run_time by Firm date_wday_new
| appendcols
[ index=global_foo sourcetype=prd_global_bar_log firm_name="" start_time="" firm_number=""
| strcat firm_name " - Firm Number: " firm_number AS Firm
| bin _time span=60d
| eventstats avg(duration_minutes) as avg_time by Firm
| eval perc_of_change=round(((duration_minutes-avg_time)/duration_minutes)*100,2)
| where perc_of_change > 15
| stats first(avg_time) as Average by Firm]
| rename "2. Monday" as Monday
| rename "3. Tuesday" as Tuesday
| rename "4. Wednesday" as Wednesday
| rename "5. Thursday" as Thursday
| rename "6. Friday" as Friday
| fields - firm_name
| fillnull value="."

renjith_nair · ‎08-26-2018

@fisuser1, glad to know 🙂

Happy Splunking!

Why is the chart only valuing 15% above calculated average response?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!