Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate the percentage difference of search 1 to search 2?

pavanae
Builder
‎09-30-2015 10:31 AM

Hi

I have two different searches and two different results as follows

Search 1:

index="xyz" ".handleCommitOrder"|xmlkv | timechart count(date_mday) span=1h

Result of search 1:

_time                  count(date_mday)
2015-09-30 09:00              38
2015-09-30 10:00              29
2015-09-30 11:00              57
2015-09-30 12:00              37
2015-09-30 13:00              30

search 2: 

index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart count(Order_Number)  span=1h

Result of Search 2:

_time                 count(Order_Number)
2015-09-30 09:00              714
2015-09-30 10:00              813
2015-09-30 11:00              967
2015-09-30 12:00              958
2015-09-30 13:00              110

Now I want to know the percentage difference of search 1 and search 2 and how can I display them in statistical result?

Is it possible in Splunk ?
Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-30-2015 03:04 PM

You could run this:

  index="xyz" ".handleCommitOrder"|xmlkv | timechart span=1h count as commits
| appendcols [search index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart span=1h count as orders]
| eval percentage = commits / orders * 100

Not sure what exact calculation you want between the two, just adapt the eval to your needs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-30-2015 03:04 PM

You could run this:

  index="xyz" ".handleCommitOrder"|xmlkv | timechart span=1h count as commits
| appendcols [search index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart span=1h count as orders]
| eval percentage = commits / orders * 100

Not sure what exact calculation you want between the two, just adapt the eval to your needs.

0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎09-30-2015 04:15 PM

Thanks it worked but taking too much time for parsing the search

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-30-2015 11:28 PM

That's the time taken to run the subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...