finding the percent difference between two searche...

mileven · ‎03-05-2014

I have the below search. I'm trying to get the % difference between the first count which pulls from a CSV file and the second count which pulls form the splunk server. Yet the final statement doesn't seem to work properly.

|Inputlookup PSLSE_Inventory.csv | search AssetEnv=* | chart count  AS "Inventory" by AssetEnv| appendcols [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv] |appendcols [eval mypercentage = 100 * (count/Reporting) |chart count mypercentage]

somesoni2 · ‎03-05-2014

Try this

|Inputlookup PSLSE_Inventory.csv | search AssetEnv= | chart count AS Inventory by AssetEnv| appendcols [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv] | eval mypercentage=(100*Inventory)/Reporting

OR

|Inputlookup PSLSE_Inventory.csv | search AssetEnv= | chart count AS Inventory by AssetEnv| join type=left AssetEnv [search host=* AssetEnv=* | dedup host | chart count AS Reporting by AssetEnv] | eval mypercentage=(100*Inventory )/Reporting

mileven · ‎03-10-2014

I am able to get 2 columns with the values I'm looking for but I would like to get the % difference between the 2.

somesoni2 · ‎03-05-2014

also, try updated queries.

somesoni2 · ‎03-05-2014

Are you getting two column result with this? How is the value in count field, they come for all the events or some of them are blank

mileven · ‎03-05-2014

Neither of these provide me with 3 columns. which is what I am needing.

finding the percent difference between two searches

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms