- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I make a search that compares weekly va...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to compare 1 week of tabled data to the previous weeks and calculate the percentage difference for each field value for field note_label
Initial search:
search... | stats count by note_label
note_label count
abc 10
abcd 20
abcde 30
I would like to show the data as:
note_label count (week1) count(week2) %Change
abc 10 20 100%
abcd 20 5 -75%
abcde 40 60 50%
I may be following the wrong route as i tried this but had no luck, and may need to use a different method? This search only give me the "note_label" field value names, but not the values.
earliest=-1w latest=now my_search | stats earliest(note_label) as e_status_label latest(note_label) as l_note_label | eval 1w=(l_note_label-e_note_label)/e_note_label*100
| appendcols [ search earliest=-2w latest=now my_search | stats earliest(note_label) as e_note_label latest(note_label) as l_note_label | eval 2w=(l_note_label-e_note_label)/e_note_label*100 ]
| fields note_label 1w 2w
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to figure it out in the end. I stuck with appendcols and changed my search with eval to calculate the percentage differences;
earliest=-1w latest=now MYSEARCH | rename count AS count_this_week status_label AS Supression_statusMYSEARCH | rename count AS count_last_week status_label AS Supression_status] | eval change= ((count_this_week - count_last_week)/count_this_week)*100 | eval change=round(change,2) | eval change= change+ " %"|fields Supression_status, count_this_week, count_last_week, change
| appendcols
[ search earliest=-2w latest=-1w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to figure it out in the end. I stuck with appendcols and changed my search with eval to calculate the percentage differences;
earliest=-1w latest=now MYSEARCH | rename count AS count_this_week status_label AS Supression_statusMYSEARCH | rename count AS count_last_week status_label AS Supression_status] | eval change= ((count_this_week - count_last_week)/count_this_week)*100 | eval change=round(change,2) | eval change= change+ " %"|fields Supression_status, count_this_week, count_last_week, change
| appendcols
[ search earliest=-2w latest=-1w
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
