Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate the percentage difference of search 1 to search 2?

pavanae
Builder
‎09-30-2015 10:31 AM

Hi

I have two different searches and two different results as follows

Search 1:

index="xyz" ".handleCommitOrder"|xmlkv | timechart count(date_mday) span=1h

Result of search 1:

_time                  count(date_mday)
2015-09-30 09:00              38
2015-09-30 10:00              29
2015-09-30 11:00              57
2015-09-30 12:00              37
2015-09-30 13:00              30

search 2: 

index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart count(Order_Number)  span=1h

Result of Search 2:

_time                 count(Order_Number)
2015-09-30 09:00              714
2015-09-30 10:00              813
2015-09-30 11:00              967
2015-09-30 12:00              958
2015-09-30 13:00              110

Now I want to know the percentage difference of search 1 and search 2 and how can I display them in statistical result?

Is it possible in Splunk ?
Please help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-30-2015 03:04 PM

You could run this:

  index="xyz" ".handleCommitOrder"|xmlkv | timechart span=1h count as commits
| appendcols [search index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart span=1h count as orders]
| eval percentage = commits / orders * 100

Not sure what exact calculation you want between the two, just adapt the eval to your needs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-30-2015 03:04 PM

You could run this:

  index="xyz" ".handleCommitOrder"|xmlkv | timechart span=1h count as commits
| appendcols [search index="xyz" source="/opt/jboss/server/abc/log/server.log" OR source="/opt/jboss/server/def/log/server.log" "Order_Number" |xmlkv   | timechart span=1h count as orders]
| eval percentage = commits / orders * 100

Not sure what exact calculation you want between the two, just adapt the eval to your needs.

0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎09-30-2015 04:15 PM

Thanks it worked but taking too much time for parsing the search

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-30-2015 11:28 PM

That's the time taken to run the subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...