When running a single search on bandwidth data I can calculate the percentage between bandwidth In and Out using this eval fucntion:
| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | table percent_difference _time
What I want to do is calculate the percentage change between bandwidth over a 5/minute time span. For example, lets assume I'm seeing 100/mbps of bandwidth at 12:00p Noon and at 12:05p the bandwidth jumps to 125/mbps. How can I calculate the 25% increase in bandwidth between those two timespans/searches?
Wonderful. Thanks for the | bucket command tip.
Like @linu1988 points out, you can use the bucket command to get the values for every 5 mins, then you can use the delta command to calculate the difference between two adjacent events.
Your search would look like:
Here's the documentation on delta: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Delta
Could you please give the below query a try:
|bucket _time span=5m| eval percent_difference=((BandwidthIn/BandwidthOut)*100) | table percent_difference ,_time
Thanks