Splunk Search

difference of two counts

lain179
Communicator

chart count(IN), count(OUT), count(EXP) by SERVER

I also want to include the calculated value of count(IN)-count(OUT)-count(EXP) on the column chart. How can I include that calculation?

Thanks!

Tags (1)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

I can't try it right now but it probably looks like this:

<search> | stats count(IN) as inCount, count(OUT) as outCount, count(EXP) as expCount by SERVER | eval calcField = inCount - outCount - expCount | chart inCount, outCount, expCount, calcField by SERVER

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

I can't try it right now but it probably looks like this:

<search> | stats count(IN) as inCount, count(OUT) as outCount, count(EXP) as expCount by SERVER | eval calcField = inCount - outCount - expCount | chart inCount, outCount, expCount, calcField by SERVER

lain179
Communicator

Thanks. That way works!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...