index=oswindows sourcetype="winhost" host=npe OR host=npw source=service earliest="-30d@d" latest="@d DisplayName="Vontu Monitor"
| transaction DisplayName !(startswith="State=Stopped" endswith="State=Running")
| stats sum(duration) as abc1 by host,DisplayName
index=oswindows sourcetype="winhost" host=npe OR host=npw source=service earliest="-30d@d" latest="@d" DisplayName="Vontu Monitor"
| transaction DisplayName startswith="State=Stopped" endswith="State=Running"
| stats sum(duration) as abc2 by host, DisplayName
What I want is to substract the first sum of value by host for first search with second search. Please help me. I tried append and appendcols but it doesn't display the second search result.
This is a simple example, but give something like this a try:
sourcetype=access_combined action=addtocart
| stats sum(bytes) as bytes_atc by clientip
| appendcols
[ search sourcetype=access_combined action=purchase
| stats sum(bytes) as bytes_purch by clientip]
| eval sum_all=bytes_atc + bytes_purch
The two searches are identical except for the as
clause so the result will always be zero.
Perhaps you meant to paste a different second search?
one with ! in it...in the transaction command...