Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Percentage chart

leandromatperei
Path Finder
‎11-29-2019 11:31 AM

Hi.
I have a query that makes the difference of a query comparing today with last week.

I would like to generate a graph of percentage difference between the two, could someone help me?

My chart generates a timeline with events, however I would like a percentage chart.

earliest=-1w-12h latest=-1w index="raw_teste" (host=host1OR host=host2) "Retrieving message #"
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "SemanaPassada" by time

| appendcols [search earliest=-12h latest=-5s index="raw_teste" (host=host1OR host=host2) "Retrieving message #" 
| bucket _time span=20m | eval time=strftime(_time, "%H:%M") | chart count as "Hoje" by time]
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2019 02:37 PM

You need the timewrap command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 05:50 PM 
 | makeresults count=2
 | streamstats count
 | eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
 | makecontinuous span=3m
 | where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w")
 | eval count=random() % 2 
 | where count = 1
 `comment("this is sample data")`
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | bin span=1h _time
 | eval hours=strftime(_time,"%H%M%S")
 | chart sum(count) as count over hours by date
 | eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100
 | eval _time=strptime(hours,"%H%M%S")
 | eval thresh=30
 | table _time Difference thresh

I don't know well, but is it like this?

Please try with Line Chart

When using it for alerts, change the 15th line to where Difference > 30.

I would like to generate a graph of percentage difference between the two, could someone help me?

I thought it is a chart, because you wrote this. but

where I want a chart of type Single Value?

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s")) 
| makecontinuous span=3m 
| where _time > relative_time(now(),"-12h") OR _time <= relative_time(now(),"-1w") 
| eval count=random() % 2 
| where count = 1 
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje") 
| bin span=1h _time 
| eval hours=strftime(_time,"%H%M%S") 
| chart sum(count) as count over hours by date 
| eval Difference= round(abs(SemanaPassada - Hoje) / (SemanaPassada + Hoje),1) * 100 
| eval _time=strptime(hours,"%H%M%S") 
| table _time Difference

Please try with Single Value.

If you just give a number, stats is fine, but if you want a change, you need timechart, etc.

0 Karma
Reply

leandromatperei
Path Finder
‎11-30-2019 06:04 AM

I don't think I understood your last appointment well.

For example in the query below how would I do to calculate the percentage difference where I want a chart of type Single Value?

Could you show me.

index=* ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
 | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
 | stats count by date
0 Karma
Reply

to4kawa
Ultra Champion
‎11-30-2019 02:42 PM

I amended answer.

Please tell me the calculation formula.

last_week - today?

0 Karma
Reply

leandromatperei
Path Finder
‎11-30-2019 04:45 PM

Thanks,

I need to calculate the difference in values ​​between last week and today in the 01 hour range.

I need a single value chart and if it goes above 30% it turns red.

index=main ( earliest=-1w-1h latest=-1w) OR (earliest=-1h latest=-5s) | eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")

The calculation can be from last week - today.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-30-2019 05:06 PM

please check my last Answer

the calculation is eval Difference
if it is wrong, you can change it.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 03:36 PM 
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1w-12h"), relative_time(_time,"-5s"))
| makecontinuous span=20m
| where _time > relative_time(now(),"-12h") OR _time < relative_time(now(),"-1w")
| eval count ="Retrieving message #"
| rename count as _raw
`comment("this is sample data")`
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

Hi, This is sample query.

index="raw_teste" (host=host1OR host=host2) "Retrieving message #" ( earliest=-1w-12h latest=-1w) OR (earliest=-12h latest=-5s)
| eval date=if(_time <= relative_time(now(),"-1w"),"SemanaPassada","Hoje")
| stats count by date

How about this? (Visualisation > Pie Chart)

0 Karma
Reply

leandromatperei
Path Finder
‎11-29-2019 05:10 PM

Hi,

I would like a percentage number chart comparing these two values, is it possible?

I need to check two absolute values ​​and see if there is a difference is above 30%

These values ​​are always comparing today with last week's date on the 01 hour timerange.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 05:33 PM

I need to check two absolute values ​​and see if there is a difference is above 30%

Please tell me the calculation formula

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...