Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I calculate 2 different search result

chappe4
New Member
‎02-28-2013 06:03 AM

If I do a search in on index and get a value then I need to search another index to get second value. How can I combine these so I am able to calculate the difference? Like 10 - 5 = 5 and then display the result. Is there a way to get the search result into a variable?

Here is an example of the search.
index=sentrion-summary-fine search_name="Firewall Block" |stats count(host) as block
index=sentrion-summary-fine search_name"Summarize Message Categorization, Disposition by 30min"
| search disposition="Deliver" cluster="cluster_1" | stats count as deliver

So from this I would like to calculate block - deliver =
Leif

Tags (1)
0 Karma
Reply

cramasta
Builder
‎03-01-2013 08:05 AM

AHH man i was not thinking about this right, those are not field names in the first search, the fields would be search_name and count. The only way I can think of doing this right now is like this, and please someone tell me better way to go about this.

(index=sentrion-summary-fine search_name="Firewall Block") OR (index=sentrion-summary-fine search_name="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster_1") | stats count AS theCount by search_name | sort + search_name | transpose | search NOT column=search_name | rename row1 AS FB | rename row2 AS SMC | eval newvalue=FB-SMC | table FB SMC newvalue

0 Karma
Reply

cramasta
Builder
‎02-28-2013 06:12 AM

(index=sentrion-summary-fine search_name="Firewall Block") OR (index=sentrion-summary-fine search_name="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster_1") | stats count by search_name

that should give you two columns that you can then calculate the difference using an eval statment

0 Karma
Reply

chappe4
New Member
‎03-01-2013 07:02 AM

Actually the Firewall block was a typo from my side. so the rename is correct.
But still the eval is not working on the.
(index=sentrion-summary-fine search_name="Firewall Block") OR (index=sentrion-summary-fine search_name="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster_1") | stats count by search_name | rename "Firewall Block" AS FB | rename "Summarize Message Categorization, Disposition by 30min" AS SMC | eval newvalue=FB-SMC

Only get the result
Firewall Block
Summarize Message Categorization, Disposition by 30min

0 Karma
Reply

cramasta
Builder
‎03-01-2013 06:08 AM

Things in Splunk are case sensitive, make sure when you are using the rename command that they are in the same case format that is listed in the results.

so if the output is showing the field as
Firewall block <-with a lowercase b
then the rename command is

| rename "Firewall block" AS fb

0 Karma
Reply

chappe4
New Member
‎03-01-2013 03:34 AM

If I then try this one:
index=sentrion-summary-fine search_name="Firewall Block" |stats count(host) as block | appendcols [ search index=sentrion-summary-fine search_name"Summarize Message Categorization, Disposition by 30min" | search disposition="Deliver" cluster="cluster_1" | stats count as deliver] | eval newvalue=block-deliver
I get this output

block deliver newvalue
121003 56335 64668

0 Karma
Reply

chappe4
New Member
‎03-01-2013 03:33 AM

Hello,

If I use this:
(index=sentrion-summary-fine search_name="Firewall Block") OR (index=sentrion-summary-fine search_name="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster_1") | stats count by search_name | rename "Firewall Block" AS FB | rename "Summarize Message Categorization, Disposition by 30min" AS SMC | eval newvalue=FB-SMC
I get this output
Firewall block 121003
Summarize Message Categorization, Disposition by 30min 56335

0 Karma
Reply

chappe4
New Member
‎03-01-2013 12:05 AM

Thanks, sorry but I'm new to splunk and not use to its language yet. So one more thing how can I now show the result of the eval newvalue=FB-SMC in the report?

0 Karma
Reply

cramasta
Builder
‎02-28-2013 09:15 AM

Because your new field names are the names of the saved search and that they have spaces in them you can not use eval to calculate the difference. you need to first rename the columns so they do not have spaces.

(index=sentrion-summary-fine search_name="Firewall Block") OR (index=sentrion-summary-fine search_name="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster_1") | stats count by search_name | rename "Firewall Block" AS FB | rename "Summarize Message Categorization, Disposition by 30min" AS SMC | eval newvalue=FB-SMC

0 Karma
Reply

chappe4
New Member
‎02-28-2013 08:09 AM

Thanks for the tips it was useful. I know have to figure out how to use the eval statement.

0 Karma
Reply

cramasta
Builder
‎02-28-2013 06:19 AM

you could also use appendcols command but this would kick off two searches.

index=sentrion-summary-fine search_name="Firewall Block" |stats count(host) as block | appendcols [ search index=sentrion-summary-fine search_name"Summarize Message Categorization, Disposition by 30min" | search disposition="Deliver" cluster="cluster_1" | stats count as deliver]

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...