Splunk Search

How to add the result of 2 calculations in 2 searches?

citizencrane
New Member

I have 2 searches which from the log I calculate a difference of a number at the current time and the beginning of the day. I'd like to take the difference calculated across 2 of the hosts and add them together which would provide a total across 2 hosts.

This is what I'm using to calculate across 1 host:

index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" | regex host="host_7" | stats earliest(DequeueCount) AS pEarliest7 latest(DequeueCount) AS pCurrent7 by mbean_property_destinationName | eval MsgsToday7=pCurrent7-pEarliest7

2nd host would be identical except a different host name.

index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" | regex host="host_8" | stats earliest(DequeueCount) AS pEarliest8 latest(DequeueCount) AS pCurren8t by mbean_property_destinationName | eval MsgsToday8=pCurrent8-pEarliest8

I need the outcome to be MsgsToday7+MsgsToday8=TotalMessagesToday

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Something like this?

   index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" (host="host_7" OR host="host_8")
| stats earliest(DequeueCount) AS pEarliest latest(DequeueCount) AS pCurrent by host mbean_property_destinationName
| stats sum(pEarliest) as pEarliest sum(pCurrent) as pCurrent by mbean_property_destinationName
| eval MsgsToday=pCurrent-pEarliest

That's assuming you don't actually need a regular expression match on the host field... if you do, pre-filter with a wildcard match for performance and then regex-filter with an OR'd expression to match host 7 or host 8.
The first stats calculates earliest and latest values per host and mbean, the second stats sums up values over all hosts per mbean.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Something like this?

   index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" (host="host_7" OR host="host_8")
| stats earliest(DequeueCount) AS pEarliest latest(DequeueCount) AS pCurrent by host mbean_property_destinationName
| stats sum(pEarliest) as pEarliest sum(pCurrent) as pCurrent by mbean_property_destinationName
| eval MsgsToday=pCurrent-pEarliest

That's assuming you don't actually need a regular expression match on the host field... if you do, pre-filter with a wildcard match for performance and then regex-filter with an OR'd expression to match host 7 or host 8.
The first stats calculates earliest and latest values per host and mbean, the second stats sums up values over all hosts per mbean.

citizencrane
New Member

That works, the by host is what had me thrown for a loop, Thanks!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...