Splunk Search

calculate delta of success rate of a particular field for two hosts

yamini_37
Path Finder

can you please help me in writing SPL query for the below scenario.
I want to calculate delta of success rate of a particular field for two servers.

I used the below query:
.....|stats values(Resp) as Resp values(Req) as Required by _time,host | eval Success_Rate= (Resp/Req)*100 |delta Success_Rate as Delta_of_Success_Rate | xyseries _time host Delta_of_Success_Rate

Here, splunk is calculating the delta according to values listed in the statistics. Can you please or correct this query to calculating delta value for each host

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults 
| eval temp="Time: 21:30
Total: 60 Running: 05
mt100 pool1    /root/user/bin/process1.sh
mt100 pool12    /root/user/bin/process21.deb
mt201 pool2    /root/user/bin/process321.sh
mt301 pool3    /root/user/bin/process432.deb
mt301 pool312    /root/user/bin/process52.sh" 
| makemv delim="
" temp
| mvexpand temp
| rename temp as _raw
| erex processname examples="/root/user/binprocess1.sh,/root/user/bin/process21.deb"

Also please.

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults count=2 
| streamstats count 
| eval _time=if(count=2,relative_time(_time,"-1d@m"),_time) 
| makecontinuous span=1m _time 
| eval host="host".(random() % 2 + 1) 
| eval Resp=random() % 5 + 1, Req=random() % 5 + 1 
| bin span=1h _time 
| stats sum(Resp) as Resp sum(Req) as Required by _time,host 
| eval Success_Rate= round((Resp/Required)*100) 
| reverse 
| delta Success_Rate as Delta_of_Success_Rate 
| xyseries _time host Delta_of_Success_Rate

Hi, folks. I think that if you use reverse, it works properly

0 Karma

woodcock
Esteemed Legend

Maybe this?

... | bin _time span=1h 
| stats dc(Resp) AS Resp dc(Req) AS Req BY _time host
| eval Success_Rate = 100 * (Resp / Req) 
| streamstats current=f last(Success_Rate) AS Next_Success_Rate BY host
| eval Delta_of_Success_Rate = Next_Success_Rate - Success_Rate
| timechart span=1h first(Delta_of_Success_Rate) AS Delta_of_Success_Rate BY host
0 Karma

aberkow
Builder

Can you give an example and desired output?

Does it look like:

host time delta
a 1

a 2
b 1
b 2

and you want it to just be for one host? sorted by host? thanks!

0 Karma

yamini_37
Path Finder

My desired output should be like:

Time Delta(host 1) Delta(host 2)

I didn't sort it by host. I will try like that.

0 Karma

yamini_37
Path Finder

I am getting the below output:

time host sucess_rate Delta_of_sucess_rate
12/29/19 08:40 AM XM1 100
12/29/19 08:40 AM XM2 98 -2
12/29/19 08:45 AM XM1 99 1
12/29/19 08:45 AM XM2 100 1
12/29/19 08:50 AM XM1 96 -4
12/29/19 08:50 AM XM2 95 -1

The above is calculating delta incorrectly. I want to display the below desired output.

time host sucess_rate Delta_of_sucess_rate
12/29/19 08:40 AM XM1 100
12/29/19 08:45 AM XM1 99 -1
12/29/19 08:50 AM XM1 96 -3
12/29/19 08:40 AM XM2 98

12/29/19 08:45 AM XM2 100 2
12/29/19 08:50 AM XM2 95 -5

OR

time success_XM1 delta_success_host(XM1) success_XM2 delta_success_host(XM2)
12/29/19 08:40 AM 100 98

12/29/19 08:45 AM 99 -1 100 2
12/29/19 08:50 AM 96 -3 95 -5

Finally, I want to show the delta values of two hosts in one panel by time. can you please help me on this. Thanks

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!