Splunk Search

finding the percent difference between two searches

mileven
Explorer

I have the below search. I'm trying to get the % difference between the first count which pulls from a CSV file and the second count which pulls form the splunk server. Yet the final statement doesn't seem to work properly.

|Inputlookup PSLSE_Inventory.csv | search AssetEnv=* | chart count  AS "Inventory" by AssetEnv| appendcols [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv] |appendcols [eval mypercentage = 100 * (count/Reporting) |chart count mypercentage]
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

|Inputlookup PSLSE_Inventory.csv | search AssetEnv= | chart count AS Inventory by AssetEnv| appendcols [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv] | eval mypercentage=(100*Inventory)/Reporting

OR

|Inputlookup PSLSE_Inventory.csv | search AssetEnv= | chart count AS Inventory by AssetEnv| join type=left AssetEnv [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv] | eval mypercentage=(100*Inventory )/Reporting
0 Karma

mileven
Explorer

I am able to get 2 columns with the values I'm looking for but I would like to get the % difference between the 2.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

also, try updated queries.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you getting two column result with this? How is the value in count field, they come for all the events or some of them are blank

|Inputlookup PSLSE_Inventory.csv | search AssetEnv= | chart count AS "Inventory" by AssetEnv| join type=left AssetEnv [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv]

0 Karma

mileven
Explorer

Neither of these provide me with 3 columns. which is what I am needing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...