Splunk Search

I want to find the difference in count of processes from last 2 months

shreyasathavale
Communicator

My 1st search:
earliest=-2mon@mon latest=-1mon@mon index=linux (host=abc OR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value1

My 2nd search:
earliest=-1mon@mon latest=@mon index=linux (host=abcOR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value2

I want to find Value1-Value2 or difference in count .. When I ran individual searches i got the count as 1441 and 1347 but when i used append the 2nd count reduced to 925 instead of 1347, same happens for join..
How can i find exact difference in counts?

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

View solution in original post

0 Karma

tiagofbmm
Influencer

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

0 Karma

shreyasathavale
Communicator

I added | eval Month=strftime(_time,"%m %b %Y") to the command and it worked.. Thanks!!

0 Karma

tiagofbmm
Influencer

Sorry, I meant date_month and not date_mday, so you could use:

 earliest=-2mon@mon latest=@mon
 index=linux (host=abc OR host=xyz) COMMAND=LMN
 | chart dc(PID) AS Value1 over host by date_month

shreyasathavale
Communicator

Can you help me out with eval command for difference in these 2 months values?
My result looks like:

Month Values
01-Jan-2018 1447
02-Feb-2018 1345

I want to calculate difference of 1447-1345

0 Karma

tiagofbmm
Influencer

Try the delta command:

| makeresults 
| eval A=10 
| append 
    [| makeresults 
    | eval A=20 ] 
| delta A

Don't forget to upvote useful comments

0 Karma

shreyasathavale
Communicator

This search took too much time to run and finally it gave me 2 values by host and not by Month 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...