Splunk Search

I want to find the difference in count of processes from last 2 months

shreyasathavale
Communicator

My 1st search:
earliest=-2mon@mon latest=-1mon@mon index=linux (host=abc OR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value1

My 2nd search:
earliest=-1mon@mon latest=@mon index=linux (host=abcOR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value2

I want to find Value1-Value2 or difference in count .. When I ran individual searches i got the count as 1441 and 1347 but when i used append the 2nd count reduced to 925 instead of 1347, same happens for join..
How can i find exact difference in counts?

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

View solution in original post

0 Karma

tiagofbmm
Influencer

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

0 Karma

shreyasathavale
Communicator

I added | eval Month=strftime(_time,"%m %b %Y") to the command and it worked.. Thanks!!

0 Karma

tiagofbmm
Influencer

Sorry, I meant date_month and not date_mday, so you could use:

 earliest=-2mon@mon latest=@mon
 index=linux (host=abc OR host=xyz) COMMAND=LMN
 | chart dc(PID) AS Value1 over host by date_month

shreyasathavale
Communicator

Can you help me out with eval command for difference in these 2 months values?
My result looks like:

Month Values
01-Jan-2018 1447
02-Feb-2018 1345

I want to calculate difference of 1447-1345

0 Karma

tiagofbmm
Influencer

Try the delta command:

| makeresults 
| eval A=10 
| append 
    [| makeresults 
    | eval A=20 ] 
| delta A

Don't forget to upvote useful comments

0 Karma

shreyasathavale
Communicator

This search took too much time to run and finally it gave me 2 values by host and not by Month 😞

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...