Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate a percentage change between two columns in a chart and add the result in a new column?

vman_me
New Member
‎07-22-2015 11:52 AM

I am still getting into the swing of things with Splunk and have a question.
I am generating a chart like this:

   chart Average  by Component Day

It's only 2 days, so I'd like to calculate a percentage of change between the days (still by Component) and add that as another column.

I'd appreciate any help, suggestions, etc.

  • V
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-22-2015 11:22 PM

You mean something like this?

index=_internal group=pipeline OR group=queue
| bucket _time span=1d | stats count by _time group
| streamstats window=2 current=f last(count) as previouscount by group
| eval delta=count-previouscount
| timechart span=1d avg(count) as Value avg(previouscount) avg(delta) as Difference by group | fields - avg(previous*

This example slightly differs from how your chart is gereated but should in effect do the same.
Because I don't know what your data is, I just took two groups from internal data, put it into one day buckets and did a count by _time and group. This should equal your chart by day and component. In the resulting statistics, I added the value from the day before (of the same group) with streamstats - see how the table looks like before the eval delta... for how things look like at this stage. From there, it's a simple eval to calculate the difference between the value of this and the previous day, and plotting that on a timechart (without the values of the previous day of course, which is only needed for the calculation.).

Feel free to ask if there's anything I went over too quickly.

0 Karma
Reply

vman_me
New Member
‎07-23-2015 03:24 PM

Fancy stuff... I am still trying to dissect it (and digest it).
With the original chart command, i get 3 columns, as expected, one for the Components (basically most part of log description) and then 2 days worth of metrics. I don't seem to get those with this answer, but I am trying to see how I can leverage some of the ideas.
I get 4 days in first column and then columns for a pair of pipeline and queue values.
Will tinker a bit more...

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-23-2015 10:47 PM

To help you out, here is a version of the same idea with chart instead of timechart using a strftime version of _time, and I've also renamed the fields to what your data looks like to make the connecion to your data clearer (I just picked groups pipeline and queue to have some data at hand as a run-anywhere example):

index=_internal group=pipeline OR group=queue
| bucket _time span=1d | rename group as Component
| eval Day=strftime(_time, "%d.%m.%Y")
| stats count by Day Component
| streamstats window=2 current=f last(count) as previouscount by Component
| eval delta=count-previouscount
| chart avg(count) as Value avg(previouscount) avg(delta) as Difference by Day Component
| fields - avg(previous*
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...