Hi Folks,
Here's what I have,
index=blah | bucket span=1d _time | chart count(id) over _time by src
Chart:
_time src1 src2
day1 100 200
day2 110 180
day3 105 100
day4 90 210
Now heres what I am looking for, given a time window produce & variation from start of time period per source. Start of the time period is considered as baseline (0%). I am looking for a way to refer to first bucket value to compute this % values. End result should look like something below.
Chart:
_time src1 src1% src2 src2%
day1 100 0% 200 0%
day2 110 10% 180 -10%
day3 105 5% 100 0%
day4 90 -10% 210 5%
Is there a way to use _time as key? If yes how?
I've re-created your scenario after the chart like this:
| gentimes start=-1 increment=2h | streamstats count as day | fields day | eval value=(random()%200) | appendpipe [stats count as day | eval day=0 | eval value=100] | sort + day
Running that produces a table similar to your first result. Using that, I've built a table similar to your desired second result like this:
... | eventstats first(value) as baseline | eval diff=(value-baseline)/baseline | fieldformat diff = round(diff*100,2)."%" | table day value diff
The end result looks something like this:
day value diff
0 100 0.00%
1 70 -30.00%
2 47 -53.00%
3 156 56.00%
4 181 81.00%
5 130 30.00%
6 155 55.00%
7 192 92.00%
8 137 37.00%
9 110 10.00%
10 7 -93.00%
11 100 0.00%
12 133 33.00%
You can run a search pipeline for multiple fields using the foreach
command: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/foreach
I was able to produce A. as below,
index=blah | bucket span=1h _time | stats count(id) as cnt by _time, src | table _time, src, cnt | xyseries _time src cnt
but having difficulties in creating diff per src. How can I create multiple fields at once?
Martin, thanks for replying. I see your point. Looks like a great approach for single series of data. I am having difficulties applying same on multiple time series data.
As you can see in my above example I have matrix of data for each "src". Hence I am using bucket/span along with chart to produce 1st table.
In order to use your approach,
A. I need to bring data in tabular without using chart and "over" feature.
B. Generate diff per src as final solution.