We have monthly data for each SBU and we want to setup an alert if any total increase more than 5% for up coming month.
index=mydata | bin span=1mon _time | stats sum(total) as Total_Val by _time, SBU | sort +SBU -_time
Can you please help us to write a Splunk query to filter if any total increase more than 5% comparing with previous month.
Note: We have more than 50 SBU.
Streamstats works fine,
....| stats sum(total) as total by _time, SBU | sort +SBU -_time|table _time, SBU, total | streamstats current=f window=1 first(total) as prev by SBU |eval deltaval=total - prev | eval diffp=deltaval/total*100 | where diffp>5
Streamstats works fine,
....| stats sum(total) as total by _time, SBU | sort +SBU -_time|table _time, SBU, total | streamstats current=f window=1 first(total) as prev by SBU |eval deltaval=total - prev | eval diffp=deltaval/total*100 | where diffp>5
Any reason why streamstats , prev value is not woking?
That would be the way to go for this use case.
Thanks. Initially tried with delta. but streamstats works for this case.