我需要计算过去 5 分钟内事件数量与前 5 分钟相比增加/减少的百分比。所以我想我需要这样的东西:
(stats count <query A> - stats count <query B>) / stats count <query B>
我无法创建有效的查询 - 是否可以在 Splunk 中实现这一点?
问问题
3119 次
1 回答
0
在这里回答:http: //answers.splunk.com/answers/106765/percentage-change-in-event-counts
earliest=-5m@m latest=@m your_search |eval Report="Second"| append [search earliest=-10m@m latest=-5m@m your_search | eval _time = _time + 300 | eval Report="First"] | stats sum(eval(if(match(Report,"First"),1,0))) as First sum(eval(if(match(Report,"Second"),1,0))) as Second count as Total | eval DiffPercent = (First - Second) / First * 100
于 2013-10-17T13:25:43.390 回答