Splunk Search

Day to day % Difference

allansneddon
Explorer

Hi guys,

I create daily reports with various data on that we collect, and i am now looking to add a few extra bits of information that will be useful to the team.
I am looking to create a chart that show the % difference from the today's data against the data received the day before. For example if we received 100 events yesterday and 200 today it shows an increase of 100%. Any help would be very much appreciated.

Cheers,

Allan

Tags (1)
0 Karma
1 Solution

niketn
Legend

Ideally, streamstats should be used for this (depending upon what is your current search). However, delta can be used if you query is a simple scenario like a timechart being plotted for daily span. The delta command will give you the difference of count in the current row with previous row. This way you will have a way to identify what was the previous day's total. See the following run anywhere search based on Splunk's _internal index.

index=_internal sourcetype="splunkd" log_level="WARN"
| timechart span=1d count
| delta count as Delta
| fillnull value=0 Delta
| eval Total=count-Delta
| eval percIncrDecr=(Delta/Total)*100
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

Ideally, streamstats should be used for this (depending upon what is your current search). However, delta can be used if you query is a simple scenario like a timechart being plotted for daily span. The delta command will give you the difference of count in the current row with previous row. This way you will have a way to identify what was the previous day's total. See the following run anywhere search based on Splunk's _internal index.

index=_internal sourcetype="splunkd" log_level="WARN"
| timechart span=1d count
| delta count as Delta
| fillnull value=0 Delta
| eval Total=count-Delta
| eval percIncrDecr=(Delta/Total)*100
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

allansneddon
Explorer

This works, thank you so much!

0 Karma

niketn
Legend

Great Cheers!!! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...