我需要计算过去5分钟内事件数量与前5分钟相比的增加/减少百分比。所以我想我需要这样的东西:
(stats count <query A> - stats count <query B>) / stats count <query B>
我无法创建有效的查询 - 是否可以在Splunk中实现此目的?
答案 0 :(得分:0)
在这里回答:http://answers.splunk.com/answers/106765/percentage-change-in-event-counts
earliest=-5m@m latest=@m your_search |eval Report="Second"| append [search earliest=-10m@m latest=-5m@m your_search | eval _time = _time + 300 | eval Report="First"] | stats sum(eval(if(match(Report,"First"),1,0))) as First sum(eval(if(match(Report,"Second"),1,0))) as Second count as Total | eval DiffPercent = (First - Second) / First * 100