- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- combine 2 queries and subtract the results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
combine 2 queries and subtract the results
I have the below queries, would like to run together and subtract the count results. Any help appreciated.
- |host=SMD* source="D:\Apps\CM\Logs\CM_" "Removing Session" AND "CM_EMD"
- | rex field=_raw "(?.+)"
- | rex field=_raw "(?.+)"
- | convert timeformat="%d" ctime(_time) AS c_time
- | table c_time Server UserName count
- | dedup c_time Server UserName | stats count by c_time Server
and
- |host=SMD* source="D:\Apps\CM\Logs\CM_" "Adding Session" AND "CM_EMD"
- | rex field=_raw "(?.+)"
- | rex field=_raw "(?.+)"
- | convert timeformat="%d" ctime(_time) AS c_time
- | table c_time Server UserName count
- | dedup c_time Server UserName | stats count by c_time Server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bgleich, you should try editing the code section and re-post using code button 101010 so that special characters do not escape.
Based on the query posted seems like you are looking at the same data source for Adding Session and Removing Session per day for every User (unique) and then want to get the difference of their count.
PS: You seem to have two separate rex running on _raw (please share your anonymized/masked raw data and current regular expression if you want us to assist you with combining the same. Also if you can pull the Status of the log event as Adding or Removing it would help you in writing better query. Remember to post these with code button 101010 on Splunk Answers comment.
If your regular expression is working as expected, and you can figure out single rex, Please try the following query,
<your_base_search_index_and_sourcetype> host=SMD* source="D:\\Apps\\CM\\Logs\\CM_*" "CM_EMD" ("Adding Session" OR "Removing Session")
| rex "<your_regular_expression_to_extract_Server_and_UserName>"
| eval Status=case(searchmatch("Adding Session"),"Adding",searchmatch("Removing Session"),"Removing",true(),"Unknown")
| dedup date_mday Server UserName Status
| eval key=Server."-".date_mday
| chart count by key Status
| eval difference=Adding-Removing
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing that your post is eating some characters, because this search command doesn't do anything at all, except throw an error:
| rex field=_raw "(?.+)"
and it makes even less sense to do it twice in a row. Can you edit your post and wrap the search queries in code blocks by highlighting the code and then clicking the 101010 button?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi can you try this and see if it fits please:
|host=SMD* source="D:\Apps\CM\Logs\CM_" "Removing Session" AND "CM_EMD"
| rex field=_raw "(?.+)"
| rex field=_raw "(?.+)"
| convert timeformat="%d" ctime(_time) AS c_time
| table c_time Server UserName count
| dedup c_time Server UserName
| stats count as C1 by c_time Server
| appendcols [ search
|host=SMD* source="D:\Apps\CM\Logs\CM_" "Adding Session" AND "CM_EMD"
| rex field=_raw "(?.+)"
| rex field=_raw "(?.+)"
| convert timeformat="%d" ctime(_time) AS c_time
| table c_time Server UserName count
| dedup c_time Server UserName
| stats count as C2 by c_time Server ]
| eval Diff=C2-C1
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
