How to calculate the difference between count of t...

changux · ‎11-01-2016

Hi all.

I have a first search:

index=first sourcetype=type1 | stats count

And a second:

index=first  sourcetype=data_sourcetype | join ID  [search index="second" sourcetype="datatype2"] | stats count

Both cases returns number of events. But I need to calculate the number difference between the first search's value and the second. How i can proceed?

Thanks!

somesoni2 · ‎03-03-2017

Try this

index=first  (sourcetype=data_sourcetype  [search index="second" sourcetype="datatype2" | stats count by ID | table ID ] ) OR sourcetype=type1 
| chart count over index by sourcetype | eval difference='data_sourcetype' - 'type1'

niketn · ‎11-01-2016

Based on the above search you might not need join for the second search. See if following query helps:

You can also save index AND sourcetype searches as three different eventtypes and then use stats count by eventtype as your query. accum and delta can be used on different rows of search results by eventtype.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to calculate the difference between count of two different searches?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!