I have the following search:
which produces the following results:
I have created a dashboard panel with this information. I'd like to do a month over month comparison, so I have created a second panel with the same search. The first panel time frame is set to search the month of September, and the second the month of October. I would like calculate the percentage change for each Threat Category and display the results in a 3rd panel.
How would I go about accessing the count values in the panel to use in the calculation? Or is it even possible?
Thanks!
Taking from :https://answers.splunk.com/answers/185455/how-to-create-a-month-over-month-year-over-year-re.html and modifying it you could do something like:
index=zscaler urlsupercat="Advanced Security" earliest=-2month@month latest=-1month@month
| stats count as pre_month by urlcat
| join urlcat [ index=zscaler urlsupercat="Advanced Security" earliest=-1month@month latest=@month | stats count as this_month by urlcat ]
| eval month_perc=100*(this_month / pre_month)
| rename urlcat as "Threat Category"
| table month_perc,"Threat Category"
....
You could start by creating a base search that does the combined period (remember to keep _time and just the fields you need)
HTH ...Laurie:{)