Splunk Search

Percentage chart

leandromatperei
Path Finder

Hi.
I have a query that makes the difference of a query comparing today with last week.

I would like to generate a graph of percentage difference between the two, could someone help me?

My chart generates a timeline with events, however I would like a percentage chart.

earliest=-1w-12h latest=-1w index="raw_teste" (host=host1OR host=host2) "Retrieving message #"
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "SemanaPassada" by time

| appendcols [search earliest=-12h latest=-5s index="raw_teste" (host=host1OR host=host2) "Retrieving message #" 
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "Hoje" by time]
Tags (1)
0 Karma

woodcock
Esteemed Legend
0 Karma

to4kawa
Ultra Champion
 | makeresults count=2
 | streamstats count
 | eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
 | makecontinuous span=3m
 | where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w")
 | eval count=random() % 2 
 | where count = 1
 `comment("this is sample data")`
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | bin span=1h _time
 | eval hours=strftime(_time,"%H%M%S")
 | chart sum(count) as count over hours by date
 | eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100
 | eval _time=strptime(hours,"%H%M%S")
 | eval thresh=30
 | table _time Difference thresh

I don't know well, but is it like this?

Please try with Line Chart

When using it for alerts, change the 15th line to where Difference > 30.


I would like to generate a graph of percentage difference between the two, could someone help me?

I thought it is a chart, because you wrote this. but

where I want a chart of type Single Value?

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s")) 
| makecontinuous span=3m 
| where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w") 
| eval count=random() % 2 
| where count = 1 
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje") 
| bin span=1h _time 
| eval hours=strftime(_time,"%H%M%S") 
| chart sum(count) as count over hours by date 
| eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100 
| eval _time=strptime(hours,"%H%M%S") 
| table _time Difference

Please try with Single Value.

If you just give a number, stats is fine, but if you want a change, you need timechart, etc.

0 Karma

leandromatperei
Path Finder

I don't think I understood your last appointment well.

For example in the query below how would I do to calculate the percentage difference where I want a chart of type Single Value?

Could you show me.

index=* ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | stats count by date
0 Karma

to4kawa
Ultra Champion

I amended answer.

Please tell me the calculation formula.

last_week - today?

0 Karma

leandromatperei
Path Finder

Thanks,

I need to calculate the difference in values ​​between last week and today in the 01 hour range.

I need a single value chart and if it goes above 30% it turns red.

index=main ( earliest=-1w-1h latest=-1w) OR (earliest=-1h latest=-5s) | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje") 

The calculation can be from last week - today.

0 Karma

to4kawa
Ultra Champion

please check my last Answer

the calculation is eval Difference
if it is wrong, you can change it.

0 Karma

to4kawa
Ultra Champion
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
| makecontinuous span=20m
| where _time > relative_time(now(),"-12h") OR _time < relative_time(now(),"-1w")
| eval count ="Retrieving message #"
| rename count as _raw
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

Hi, This is sample query.

index="raw_teste" (host=host1OR host=host2) "Retrieving message #" ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

How about this? (Visualisation > Pie Chart)

0 Karma

leandromatperei
Path Finder

Hi,

I would like a percentage number chart comparing these two values, is it possible?

I need to check two absolute values ​​and see if there is a difference is above 30%

These values ​​are always comparing today with last week's date on the 01 hour timerange.

0 Karma

to4kawa
Ultra Champion

I need to check two absolute values ​​and see if there is a difference is above 30%

Please tell me the calculation formula

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...