Splunk Search

calculate delta of success rate of a particular field for two hosts

yamini_37
Path Finder

can you please help me in writing SPL query for the below scenario.
I want to calculate delta of success rate of a particular field for two servers.

I used the below query:
.....|stats values(Resp) as Resp values(Req) as Required by _time,host | eval Success_Rate= (Resp/Req)*100 |delta Success_Rate as Delta_of_Success_Rate | xyseries _time host Delta_of_Success_Rate

Here, splunk is calculating the delta according to values listed in the statistics. Can you please or correct this query to calculating delta value for each host

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval temp="Time: 21:30
Total: 60 Running: 05
mt100 pool1    /root/user/bin/process1.sh
mt100 pool12    /root/user/bin/process21.deb
mt201 pool2    /root/user/bin/process321.sh
mt301 pool3    /root/user/bin/process432.deb
mt301 pool312    /root/user/bin/process52.sh" 
| makemv delim="
" temp
| mvexpand temp
| rename temp as _raw
| erex processname examples="/root/user/binprocess1.sh,/root/user/bin/process21.deb"

Also please.

0 Karma

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time=if(count=2,relative_time(_time,"-1d@m"),_time) 
| makecontinuous span=1m _time 
| eval host="host".(random() % 2 + 1) 
| eval Resp=random() % 5 + 1, Req=random() % 5 + 1 
| bin span=1h _time 
| stats sum(Resp) as Resp sum(Req) as Required by _time,host 
| eval Success_Rate= round((Resp/Required)*100) 
| reverse 
| delta Success_Rate as Delta_of_Success_Rate 
| xyseries _time host Delta_of_Success_Rate

Hi, folks. I think that if you use reverse, it works properly

0 Karma

woodcock
Esteemed Legend

Maybe this?

... | bin _time span=1h 
| stats dc(Resp) AS Resp dc(Req) AS Req BY _time host
| eval Success_Rate = 100 * (Resp / Req) 
| streamstats current=f last(Success_Rate) AS Next_Success_Rate BY host
| eval Delta_of_Success_Rate = Next_Success_Rate - Success_Rate
| timechart span=1h first(Delta_of_Success_Rate) AS Delta_of_Success_Rate BY host
0 Karma

aberkow
Builder

Can you give an example and desired output?

Does it look like:

host time delta
a 1

a 2
b 1
b 2

and you want it to just be for one host? sorted by host? thanks!

0 Karma

yamini_37
Path Finder

My desired output should be like:

Time Delta(host 1) Delta(host 2)

I didn't sort it by host. I will try like that.

0 Karma

yamini_37
Path Finder

I am getting the below output:

time host sucess_rate Delta_of_sucess_rate
12/29/19 08:40 AM XM1 100
12/29/19 08:40 AM XM2 98 -2
12/29/19 08:45 AM XM1 99 1
12/29/19 08:45 AM XM2 100 1
12/29/19 08:50 AM XM1 96 -4
12/29/19 08:50 AM XM2 95 -1

The above is calculating delta incorrectly. I want to display the below desired output.

time host sucess_rate Delta_of_sucess_rate
12/29/19 08:40 AM XM1 100
12/29/19 08:45 AM XM1 99 -1
12/29/19 08:50 AM XM1 96 -3
12/29/19 08:40 AM XM2 98

12/29/19 08:45 AM XM2 100 2
12/29/19 08:50 AM XM2 95 -5

OR

time success_XM1 delta_success_host(XM1) success_XM2 delta_success_host(XM2)
12/29/19 08:40 AM 100 98

12/29/19 08:45 AM 99 -1 100 2
12/29/19 08:50 AM 96 -3 95 -5

Finally, I want to show the delta values of two hosts in one panel by time. can you please help me on this. Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...