Splunk: Percent change in events count

Question

I need to calculate the percentage increase/decrease in the number of events in the last 5 minutes compared to the previous 5 minutes. So I think I need something like this:

(stats count <query A> - stats count <query B>) / stats count <query B>

I wasn't able to create a query that works - is it possible to achieve this in Splunk?

Answer 1

Answer here: http://answers.splunk.com/answers/106765/percentage-change-in-event-counts

earliest=-5m@m latest=@m your_search |eval Report="Second"| append [search earliest=-10m@m latest=-5m@m your_search | eval _time = _time + 300 | eval Report="First"] | stats sum(eval(if(match(Report,"First"),1,0))) as First sum(eval(if(match(Report,"Second"),1,0))) as Second count as Total | eval DiffPercent = (First - Second) / First * 100