- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- How to subtract outcome of count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two saved searches, saved them as macros.
1: [search sourcetype="brem" sanl31 eham Successfully completed (cc*) | fields MessageTime] sanl31 eham Successfully completed cc* | stats count
This is saved as brem_correction_count
2: [search sourcetype="brem" sanl31 eham Successfully completed (cc*) | fields MessageTime] sanl31 eham Successfully completed NOT cc* | stats count
This is saved as brem_corrected_count
How can I use these searches to subtract the outcome of the 2 searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I don't understand what the subsearch is doing in either one of these. I think you can simplify like this:
Search 1:
sourcetype="brem" sanl31 eham Successfully completed cc* | stats count
Search 2:
sourcetype="brem" sanl31 eham Successfully completed NOT cc* | stats count
The fastest search that would calculate the difference would probably be
sourcetype="brem" sanl31 eham Successfully completed
| eval ccType=if(match(_raw,"\bcc"),"Yes","No")
| stats count(eval(ccType="Yes")) as ccCount count(eval(ccType="No")) as NotCcCount
| eval diff =ccCount - NotCcCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for you answer, it does exactly what I needed. The subsearch is needed to find two related messages based on a field MessageTime. Sorry that I confused you, but the subsearch is needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I don't understand what the subsearch is doing in either one of these. I think you can simplify like this:
Search 1:
sourcetype="brem" sanl31 eham Successfully completed cc* | stats count
Search 2:
sourcetype="brem" sanl31 eham Successfully completed NOT cc* | stats count
The fastest search that would calculate the difference would probably be
sourcetype="brem" sanl31 eham Successfully completed
| eval ccType=if(match(_raw,"\bcc"),"Yes","No")
| stats count(eval(ccType="Yes")) as ccCount count(eval(ccType="No")) as NotCcCount
| eval diff =ccCount - NotCcCount
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
