topic How to alert in Difference in count of two search query in Splunk Search

how to find difference between two "stats count" used in two different saved search

snabi — Thu, 15 Aug 2013 18:46:51 GMT

So i have two saved search queries
1. sourcetype="x" "attempted" source="y" | stats count
2. sourcetype="x" "Failed" source="y" | stats count

i need to create a search query which will calculate

Passed item = (sourcetype="x" "attempted" source="y" | stats count) - (sourcetype="x" "Failed" source="y" | stats count)

and display Passed item count by hours

Re: how to find difference between two "stats count" used in two different saved search

starcher — Fri, 16 Aug 2013 12:24:09 GMT

give this a shot:
sourcetype="x" | stats count(eval(searchmatch("attempted"))) AS numattempts count(eval(searchmatch("Failed"))) AS numfails | eval diff=numattempts-numfails

Re: how to find difference between two "stats count" used in two different saved search

snabi — Mon, 26 Aug 2013 20:30:50 GMT

sourcetype="x" source="x.log" ("consolidation succeeded" OR "conversion failed") | stats count(eval(searchmatch("consolidation succeeded"))) as attempts count(eval(searchmatch("xconversion failed"))) as failures | eval successes=attempts-failures

this one worked for me...
Thanks for all the supports

How to alert in Difference in count of two search query

icenitesh — Mon, 11 Jan 2021 16:04:36 GMT

("SSO Initiated" OR "SSO Completed") | stats count(eval(searchmatch("SSO Initiated"))) as SSO_Initiated count(eval(searchmatch("SSO Completed"))) as SSO_Completed | eval Difference=SSO_Initiated-SSO_Completed

I want to create alert if Difference > 0, then mail needs to be sent. This check should keep happening every 15 minute and check in last 15 minute if Difference > 0, then trigger mail.