Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

DavidRojas — Tue, 01 Jun 2021 17:28:03 GMT

How can I do Three search in the same query, but the results separate for a week (the results of last 4 weeks), and the result of the three search do a operation math for a final result.

///////////////////////////

This is my query:

/////////////////////////////////////////////////////////////////////

But this is the result

//////////////////////////////////////////

How can I get the result to be in the same row and then do the difference of the week?

| eval Diff=(("TotalAlerts")-("AlertsFalse"+"AlertsSmart"))

- The same index in the 3 searchs

- The last 4 weeks

- Diference =(A-(B+C))

- Chart the Columns A B C Diference

Re: Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

ITWhisperer — Tue, 01 Jun 2021 17:35:36 GMT

Before the last table command add

| stats values(*) as * by _time

Re: Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

DavidRojas — Tue, 01 Jun 2021 19:27:33 GMT

Thak you ITWhisperer

I Add this 3 lines in my Query, and the result successfully, thank you so much

| stats values(*) as * by _time
| eval Diff=((AlertsTotals)-(AlertsSmart+AlertsFalse))
| table AlertsTotals AlertsFalse AlertsSmart Diff

topic Re: Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week in Splunk Search

Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

Re: Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

Re: Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week