Splunk Search

Command to display percentage increase in stats count

colinmchugo
Explorer

Hi,
Is there a way of showing the percentage increase or decrease from the command:

"stats count as daycount by date_mday | streamstats avg(daycount)" 

So you can see on a visualization if the events for that day are above or below average?

Thanks in advance.
-Colin

0 Karma

woodcock
Esteemed Legend

Maybe like this (you need to be more clear and show sample events with a mockup of the end goal data):

index=_* 
| stats count AS daycount BY date_mday
| eventstats avg(daycount ) AS avg_daycount 
| eval deviation = daycount - avg_daycount 

jwalzerpitt
Influencer

Woodcock,

I was combing through some posts and came across your answer to this one and wanted to know if the following search based on your answer above was the most optimal way to identify a spike in the count for a host with ssh outbound activity. Search is as follows:

index=foo sourcetype="foo" dest_port=22  
| stats count as hourcount by date_hour src 
| eventstats avg(hourcount) AS avg_hourcount by src 
| eval deviation = hourcount - avg_hourcount 
| eval percentChange=round(((hourcount-avg_hourcount)/abs(avg_hourcount))*100,2) 
| where percentChange > 200

I'm looking for a report/alert that takes the count per src every hour and compares it to the previous hour and calculates the percentage increase. I know there are many ways to skin a cat in Splunk, but was wondering if this search is the most optimal way to look for spikes in traffic.

Thx

0 Karma

woodcock
Esteemed Legend

This definitely should work. Be aware that there some perc* and stdev* functions that you can use, too.

0 Karma

cmerriman
Super Champion

you could add:

...|eval percentChange=round(((daycount-avgdaycount)/abs(avdaycount))*100,2)

that should give you a positive or negative percentage from the count vs the average.
you can show the count and the percent change on a chart and put the percent change on the chart overlay for a visualization.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...