Answers for "help for calculating a trend in a table panel"
https://answers.splunk.com/answers/788647/help-for-calculating-a-trend-in-a-table-panel.html
The latest answers for the question "help for calculating a trend in a table panel"Answer by bowesmana
https://answers.splunk.com/answering/788651/view.html
Are your example numbers what you want?
Between Jan and Feb
- 300 is 50% more than 200 (b > a)
- 200 is 33.3% less than 300 (a < b)
by between Feb and Mar
- 300 is 200% more than 100 (a > b)
- 100 is 66% less than 200 (b < a)
so in your example are you looking to show,
a) when negative, what % the smaller value is of the larger value
b) when positive, what % the difference between the values is of the larger value
or something else.
Note that the sort -Month will sort in reverse chronological order, so with the %Y-%m your order will be March,Feb,Jan. Naturally if you then use delta, that will give different results.
So you could use
| eval Month=strftime(_time,"%Y-%m")
| stats count by Month
| sort Month
| eval diff=0
| delta count as diff
| eval percentage=round(diff/count*100,0)
Note that if you change the sort order the delta values are different. In the ascending sort, then change from 300 to 100 shows -200%.
So it sort of depends if Feb in your example is needed to show
a) Feb is a 50% growth over Jan
b) Jan was 33% lower than Feb
but to give you your example, you would have to do
| sort Month
| eval diff=0
| delta count as diff
| eval percentage=round(if(diff>0,diff/count*100,diff/(count-diff)*100),0)
NB: Ascending sort
Run anywhere example
| makeresults
| rename COMMENT as "Setting up data to show example"
| eval f="2019-01,200#2019-02,300#2019-03,100"
| makemv delim="#" f
| mvexpand f
| rex field=f "(?<Month>[^,]*),(?<count>.*)"
| fields - f, _time
| sort Month
| eval diff=0
| delta count as diff
| eval percentage=round(if(diff>0,diff/count*100,diff/(count-diff)*100),0)Tue, 10 Dec 2019 09:58:30 GMTbowesmanaAnswer by jitendragupta
https://answers.splunk.com/answering/789450/view.html
try this:
` index="toto" sourcetype="tutu" assigned_group="titi"
| dedup incident_number
| eval Month=strftime(_time,"%Y-%m")
| stats count by Month
| sort -Month
| delta count as Diff
| eval percentageTrend =(Diff/count)*100`Tue, 10 Dec 2019 09:12:46 GMTjitendragupta