Hello All,
Been trying to get the hang of syntax within Splunk and have been able to sus out a basic understanding, true to form for myself, I usually end up jumping into the deep end when I do things, so bear with me.
I am attempting to creat a report/search/dashboard that looks over the last four hours and will display the largest percent increase of a value.
The field is BIN currently stored as a numerical value, I have tried the tostring command to transform it but usually ends up as no values being returned or them all being grouped together.
But I digress, how would I first create a search/table view that would be updated along a described timeframe lets say every hour where it looks at the previous timeframe as a percentage of total records for that timeframe and calculates the percentage increase of the two timeframes and filters to see the top 20 increases?
Example:
I would want to ignore any decreasing values and possibly only see the top 20 that had increased that are greater than or equal to a 15% increase.
BIN | Percent 2 hour ago | Percent 1 hr ago | Pecent change |
123456 | 10% | 12% | 16.7% |
234561 | 10% | 8% | -25% |
345612 | 30% | 25% | -20% |
456123 | 35% | 30% | -16.7% |
561234 | 15% | 25% | 40% |
Here's an example search that will probably do what you want. It's using sourcetype from _internal index to do the search, but you should replace the index query and sourcetype to be your index search criteria and BIN.
index=_internal earliest=-2h@h latest=@h
| bin _time span=1h
| stats count by _time sourcetype
| eventstats sum(count) as total by _time
| eval percent=round(count/total*100, 2)
| chart values(percent) as p over _time by sourcetype
| streamstats c
| fields - _time t
| transpose 0 header_field=c
| eval diff='2'-'1'
| where !isnull(diff)
| eval Change=round(diff / '1' * 100, 2)
| rename "1" as "Previous 2hr", "2" as "Previous 1hr"
| fields - diff
| sort - Change
| where Change>15
Keep earliest and latest time in search. This does
Note that this is calculating the percentages of events as a ratio of total, which if one bin number goes down the ratio of other bins will go up even if the bin counts do not, so may not be what you want, but hopefully gives you some tools to play with.
I updated the Index with mine I am not sure about what the sourcetype would be. in the searches that I was attempting to put together, I was using data=data=billing_card but replacing sourcetype with billing_card or setting it equal to sourcetype it retrieves no data.
I redacted the last two lines of code to see if there just was not anything meeting those criteria for the search and I get:
column | Previous 2hr | Previous 1hr | Change | diff |
NULL | 100.00 | 100.00 | 0.00 | 0.00 |
If I just leave sourcetype in I get I am guessing the sources
I mentioned you need to replace sourcetype with your BIN - as that is what you are grouping by - sourcetype was only an example. Your original post shows the metrics by BIN, so that is what you need to split by.
You can fiddle with timechart and transposing result table.