https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433987#M123902 <P>Here is my query :</P> <PRE><CODE>index="basicdataapi" source="/data/api-process/logs/equitydata-rawdata-producer/application.log" service_name="equitydata-rawdata-producer" host="daasynprdbd6012" CountFlag="true" PackageDataType |stats count by PackageDataType | append[search index=datasvc source="us-east-1:/aws/lambda/ged-equitydata-rawdata-consumer*" service_name="equitydata-rawdata-consumer" CountFlag="true" PackageDataType |stats count by PackageDataType ]|**table DataPackageType num |streamstats max(num) as max min(num) as min by PackageDataType | eval diff=max-min | dedup DataPackageType | table DataPackageType max min diff. </CODE></PRE> <P>When I run the above query which have been marked as "Strong" font, I can get a result like this:<BR /> PackageDataType num<BR /> CO 319<BR /> SO 420<BR /> CO 319<BR /> SO 420</P> <P>But I want to count the difference between same "PackageDataType", like below format:<BR /> PackageDataType max min diff<BR /> CO 319 319 0<BR /> SO 420 420 0</P> <P>So I added "streamstats.." to count it . But after I added it , no result can be shown. Is there anything wrong ?</P> Sun, 14 Oct 2018 02:58:39 GMT asdusert 2018-10-14T02:58:39Z https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433987#M123902 <P>Here is my query :</P> <PRE><CODE>index="basicdataapi" source="/data/api-process/logs/equitydata-rawdata-producer/application.log" service_name="equitydata-rawdata-producer" host="daasynprdbd6012" CountFlag="true" PackageDataType |stats count by PackageDataType | append[search index=datasvc source="us-east-1:/aws/lambda/ged-equitydata-rawdata-consumer*" service_name="equitydata-rawdata-consumer" CountFlag="true" PackageDataType |stats count by PackageDataType ]|**table DataPackageType num |streamstats max(num) as max min(num) as min by PackageDataType | eval diff=max-min | dedup DataPackageType | table DataPackageType max min diff. </CODE></PRE> <P>When I run the above query which have been marked as "Strong" font, I can get a result like this:<BR /> PackageDataType num<BR /> CO 319<BR /> SO 420<BR /> CO 319<BR /> SO 420</P> <P>But I want to count the difference between same "PackageDataType", like below format:<BR /> PackageDataType max min diff<BR /> CO 319 319 0<BR /> SO 420 420 0</P> <P>So I added "streamstats.." to count it . But after I added it , no result can be shown. Is there anything wrong ?</P> Sun, 14 Oct 2018 02:58:39 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433987#M123902 asdusert 2018-10-14T02:58:39Z https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433988#M123903 <P>@asdusert,</P> <P>From your search, there are possibly two things you might need to change to get the desired result</P> <OL> <LI>In your original search you are using field name <STRONG>PackageDataType</STRONG> but in the table command next to it, you are using <STRONG>DataPackageType</STRONG> which are different field names for splunk and that's the reason you are not getting the result.</LI> <LI><P>streamstats gives you <CODE>streaming</CODE> max or min. ie.when the streamstats look at the first event, it only knows CO 319 and hence it would result 319 as max and min for CO even though the second CO has a different count say 219. You may test it by running</P> <P>index=_*|stats count by sourcetype ,index|fields - sourcetype|streamstats max(count) as max,min(count) as min by index</P></LI> </OL> <P>So try <CODE>stats</CODE> or <CODE>eventstats</CODE> for the final calculation.</P> <PRE><CODE>index="basicdataapi" source="/data/api-process/logs/equitydata-rawdata-producer/application.log" service_name="equitydata-rawdata-producer" host="daasynprdbd6012" CountFlag="true" PackageDataType |stats count by PackageDataType | append[search index=datasvc source="us-east-1:/aws/lambda/ged-equitydata-rawdata-consumer*" service_name="equitydata-rawdata-consumer" CountFlag="true" |stats count by PackageDataType ] |stats max(num) as max min(num) as min by PackageDataType | eval diff=max-min </CODE></PRE> <P>To your original search, just add </P> <PRE><CODE> |stats max(num) as max min(num) as min by PackageDataType | eval diff=max-min </CODE></PRE> Sun, 14 Oct 2018 04:39:47 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433988#M123903 renjith_nair 2018-10-14T04:39:47Z https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433989#M123904 <P>@renjith.nair Thanks so much . it works.</P> Sun, 14 Oct 2018 09:40:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433989#M123904 asdusert 2018-10-14T09:40:13Z https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433990#M123905 <P>@asdusert, glad that it worked. Kindly accept it as answer to close this thread. Thanks</P> Sun, 14 Oct 2018 11:40:40 GMT https://community.splunk.com/t5/Splunk-Search/Why-can-t-results-can-be-shown-when-calculating-the-difference/m-p/433990#M123905 renjith_nair 2018-10-14T11:40:40Z