Splunk Search

Substracting chart contents over a range

asarolkar
Builder

I have a question about constants and timechart/chart/stats

I have a search like this

sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | stats count by range

I need to be able to add a | append such that i can print the difference.

Difference = 100 - "in" - "out"

Any ideas on how stats works in the context of deducting two values gathered over time from a constant and displaying it on the exact same time chart ?

0 Karma
1 Solution

kristian_kolb
Ultra Champion

well, this should work. Create three counts (c, IN and OUT) in the stats function, and just eval the difference from the constant after the stats.

sourcetype=syslog |... 
| eval range = if(date_hour >= 3 OR date_hour <= 4, "in", "out") 
| stats c c(eval(range="in")) as IN c(eval(range="out")) as OUT 
| eval Difference = 100 - c

/K

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

well, this should work. Create three counts (c, IN and OUT) in the stats function, and just eval the difference from the constant after the stats.

sourcetype=syslog |... 
| eval range = if(date_hour >= 3 OR date_hour <= 4, "in", "out") 
| stats c c(eval(range="in")) as IN c(eval(range="out")) as OUT 
| eval Difference = 100 - c

/K

0 Karma

asarolkar
Builder

Hi, What if its not a constant like 100.

What if its read from a an inputlookup like so

| inputlookup constantTable | where OrgId=100 | field CONSTANT

CONSTANT = 100

How do I incorporate an appendpipe into this without losing "in" and "out" ?

Any help would be appreciated.

0 Karma

jonuwz
Influencer

And for timechart / chart its as simple as

    sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | timechart count by range | eval Difference=100-in-out
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...