I mentioned you need to replace sourcetype with your BIN - as that is what you are grouping by - sourcetype was only an example. Your original post shows the metrics by BIN, so that is what you need to split by.
... View more
Hello All, Been trying to get the hang of syntax within Splunk and have been able to sus out a basic understanding, true to form for myself, I usually end up jumping into the deep end when I do things, so bear with me. I am attempting to creat a report/search/dashboard that looks over the last four hours and will display the largest percent increase of a value. The field is BIN currently stored as a numerical value, I have tried the tostring command to transform it but usually ends up as no values being returned or them all being grouped together. But I digress, how would I first create a search/table view that would be updated along a described timeframe lets say every hour where it looks at the previous timeframe as a percentage of total records for that timeframe and calculates the percentage increase of the two timeframes and filters to see the top 20 increases? Example: I would want to ignore any decreasing values and possibly only see the top 20 that had increased that are greater than or equal to a 15% increase. BIN Percent 2 hour ago Percent 1 hr ago Pecent change 123456 10% 12% 16.7% 234561 10% 8% -25% 345612 30% 25% -20% 456123 35% 30% -16.7% 561234 15% 25% 40%
... View more