Splunk Search

How to eval results of two searches?

lokival
Explorer

Using Splunk 4.2.3 build 105575

I have a search which I use to compare the current status of a system (1 hr window) to the status as at 1 week ago -

connect earliest=-1w@h latest=-1w@h+1h | stats count as pw |
append [ search connect earliest=-1h latest=now | stats count as cur] | eval diff = pw -cur

I get the values for pw & cur just fine, I just can't seem to perform any calculations on them.

Is there any way to have eval (or another command) operate on the results of the main search & the sub-search?

Or is there a way to have one search cover multiple time ranges?

Tags (3)
1 Solution

Flynt
Splunk Employee
Splunk Employee

Try renaming the field as query (this will keep your current cur and should give you the stats you need)

connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | eval cur= [search connect earliest=-1h latest=now | stats count as cur|rename cur as query] | eval diff = pw -cur

View solution in original post

Flynt
Splunk Employee
Splunk Employee

Try renaming the field as query (this will keep your current cur and should give you the stats you need)

connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | eval cur= [search connect earliest=-1h latest=now | stats count as cur|rename cur as query] | eval diff = pw -cur

lokival
Explorer

Perfect, exactly what I was looking for.

Thanks much!

0 Karma

Drainy
Champion

sure you can. You can do the subsearch as an eval like so

| eval lasthour = [ search connect earliest=-1h latest=now | stats count as cur | rename as search]

This will keep the last hour as lasthour and you can then perform stats as you wish. The rename to search allows splunk to understand the returned data and save it within the lasthour field. Also a great use for this is to create percentage (ratio) values to compare current data to historical data.

EDIT:
Here is a link to more detail;

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

lokival
Explorer

Ahhhhhhh.

Now I get it. Thanks much!

0 Karma

Drainy
Champion

My example assumes you are running the stats command. If you add your stats in then it will store the value of the returned count, if you just do a search you can't just pull back X number of values into one field like that

0 Karma

lokival
Explorer

Tested your suggestion like so -

search connect | eval lasthour = [ search connect earliest=-1h latest=now ]

Returns this error -

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...