I am still getting into the swing of things with Splunk and have a question.
I am generating a chart like this:
chart Average by Component Day
It's only 2 days, so I'd like to calculate a percentage of change between the days (still by Component) and add that as another column.
I'd appreciate any help, suggestions, etc.
You mean something like this?
index=_internal group=pipeline OR group=queue
| bucket _time span=1d | stats count by _time group
| streamstats window=2 current=f last(count) as previouscount by group
| eval delta=count-previouscount
| timechart span=1d avg(count) as Value avg(previouscount) avg(delta) as Difference by group | fields - avg(previous*
This example slightly differs from how your chart is gereated but should in effect do the same.
Because I don't know what your data is, I just took two groups from internal data, put it into one day buckets and did a count by _time and group. This should equal your chart by day and component. In the resulting statistics, I added the value from the day before (of the same group) with streamstats - see how the table looks like before the eval delta...
for how things look like at this stage. From there, it's a simple eval to calculate the difference between the value of this and the previous day, and plotting that on a timechart (without the values of the previous day of course, which is only needed for the calculation.).
Feel free to ask if there's anything I went over too quickly.
Fancy stuff... I am still trying to dissect it (and digest it).
With the original chart command, i get 3 columns, as expected, one for the Components (basically most part of log description) and then 2 days worth of metrics. I don't seem to get those with this answer, but I am trying to see how I can leverage some of the ideas.
I get 4 days in first column and then columns for a pair of pipeline and queue values.
Will tinker a bit more...
To help you out, here is a version of the same idea with chart
instead of timechart
using a strftime version of _time, and I've also renamed the fields to what your data looks like to make the connecion to your data clearer (I just picked groups pipeline and queue to have some data at hand as a run-anywhere example):
index=_internal group=pipeline OR group=queue
| bucket _time span=1d | rename group as Component
| eval Day=strftime(_time, "%d.%m.%Y")
| stats count by Day Component
| streamstats window=2 current=f last(count) as previouscount by Component
| eval delta=count-previouscount
| chart avg(count) as Value avg(previouscount) avg(delta) as Difference by Day Component
| fields - avg(previous*