https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/533381#M150703 <P>Thank you, Rich. Wasn't exactly my solution, but your post gave me my solution. What I ended up doing was:</P><P>&nbsp;</P><LI-CODE lang="markup">| stats values(*) as * | eval Difference = itemsReceived - itemsProcessed | appendcols [stats values(Difference) as Difference by transactionID]</LI-CODE><P>&nbsp;</P><P>I wouldn't have come to that realization had it not been for your reply. Thank you!</P> Thu, 17 Dec 2020 00:45:25 GMT seomaniv 2020-12-17T00:45:25Z https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/532563#M150445 <P>I have two events: items received, and items acted on. I want to set an alert when the count by transactionID is not equal for the two searches. I have the search set up like so:</P><P>&nbsp;</P><LI-CODE lang="markup">index=myIndex source=mySource | search criteriaForItemsReceived | stats count as itemsReceived by transactionID | append [ search index-myIndex source=mySource | search criteriaForItemsProcessed | stats count as itemsProcessed by transactionID ] | stats values(*) as * by transactionID</LI-CODE><P>&nbsp;</P><P>ok, it's a little more complicated, but this is the important part. So then need to compare itemsReceived to itemsProcessed to determine if there should be an alert. I have tried</P><P>&nbsp;</P><LI-CODE lang="markup">... stats values(eval(itemsReceived-itemsProcessed)) as Difference ... | search Difference != 0</LI-CODE><P>&nbsp;</P><P>as well as doing the eval before the stats, but everything I try ends up with null values for the eval, even though the table is properly populated with the values for itemsReceived and itemsProcessed (I have also tried convert num(itemsReceived) and tonumber(itemsReceived,10) in the event Splunk was not recognizing these fields as numbers, but each time, the fields are null).</P><P>What am I doing wrong here?</P> Thu, 10 Dec 2020 00:23:18 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/532563#M150445 seomaniv 2020-12-10T00:23:18Z https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/532567#M150448 <P>The problem may be with the <FONT face="courier new,courier">values(*)</FONT> clause returning multi-field values, which most other functions can't handle.&nbsp; Try this alternative:</P><P>&nbsp;</P><LI-CODE lang="markup">index=myIndex source=mySource | search criteriaForItemsReceived | eval state="Rcvd" | append [ search index-myIndex source=mySource | search criteriaForItemsProcessed | eval state="Proc" ] | stats count(eval(state="Rcvd")) as itemsReceived, count(eval(state="Proc")) as itemsProcessed by transactionID | eval Difference = itemsReceived - itemsProcessed </LI-CODE> Thu, 10 Dec 2020 01:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/532567#M150448 richgalloway 2020-12-10T01:35:28Z https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/533381#M150703 <P>Thank you, Rich. Wasn't exactly my solution, but your post gave me my solution. What I ended up doing was:</P><P>&nbsp;</P><LI-CODE lang="markup">| stats values(*) as * | eval Difference = itemsReceived - itemsProcessed | appendcols [stats values(Difference) as Difference by transactionID]</LI-CODE><P>&nbsp;</P><P>I wouldn't have come to that realization had it not been for your reply. Thank you!</P> Thu, 17 Dec 2020 00:45:25 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-row-count-for-two-searches-are-not-equal/m-p/533381#M150703 seomaniv 2020-12-17T00:45:25Z