https://community.splunk.com/t5/Splunk-Search/Subtract-input-from-output/m-p/558767#M158758 <LI-CODE lang="markup">| sort 0 _time | eval wildfly=if(match(_raw,"WFLYSVR0025"),1,0) | eval input=if(match(_raw,"input"),1,0) | eval output=if(match(_raw,"output"),1,0) | streamstats sum(wildfly) as wildfly | streanstats sum(input) as input sum(output) as output by wildfly | eval stillrunning=input-output</LI-CODE> Thu, 08 Jul 2021 21:58:43 GMT ITWhisperer 2021-07-08T21:58:43Z https://community.splunk.com/t5/Splunk-Search/Subtract-input-from-output/m-p/558755#M158753 <P>Hi<BR />I have some process that does not finish successfully, Now i want to trace them with splunk.</P><P>here is scenario:<BR />I have wildfly that create log file. when I start wildfly this code WFLYSRV0025 appear in the log. now I want after latest time that whildfly started, splunk start to count number of "input" and "output" like below.</P><P>“Input” mean new processes start “need to store count of previous value then it always increasing ”(streamstats sum(count))<BR />“output” means process has been finished “need to store count of previous value, this value subtract from input continuously ” (streamstats sum(count))</P><P>The goal is splunk tell me how much process still not finish. and show this on timechart.</P><P>&nbsp;</P><P>here is the log:</P><P>2021-07-06 23:10:47,131 INFO [as] WFLYSRV0025: Wildfly EAP 7.0.0.GA<BR />2021-07-06 23:11:12,197 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:11:12,187 INFO [app] output, User: anonymous<BR />2021-07-06 23:11:12,178 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:11:12,167 INFO [app] output, User: anonymous<BR />2021-07-06 23:11:12,159 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:11:12,149 INFO [app] output, User: anonymous<BR />2021-07-06 23:11:12,141 INFO [app] input , time[10] User: anonymous</P><P><BR />4 input, 3 output</P><P>In above log as you see 1 input still remain, and not finished</P><P>2021-07-06 23:30:47,131 INFO [as] WFLYSRV0025: Wildfly EAP 7.0.0.GA<BR />2021-07-06 23:30:47,197 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:30:47,141 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:30:47,131 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:30:47,134 INFO [app] output, User: anonymous<BR />2021-07-06 23:30:47,138 INFO [app] output, User: anonymous<BR />2021-07-06 23:30:47,131 INFO [app] input , time[10] User: anonymous<BR />2021-07-06 23:30:47,131 INFO [app] input , time[10] User: anonymous</P><P>5 input, 2 output</P><P>In above log as you see 3 input still remain, and not finished</P><P>I want to show this on timechart, in each minute that show me how many input still there.</P><P>Any idea,<BR />Thanks</P> Thu, 08 Jul 2021 19:51:28 GMT https://community.splunk.com/t5/Splunk-Search/Subtract-input-from-output/m-p/558755#M158753 indeed_2000 2021-07-08T19:51:28Z https://community.splunk.com/t5/Splunk-Search/Subtract-input-from-output/m-p/558767#M158758 <LI-CODE lang="markup">| sort 0 _time | eval wildfly=if(match(_raw,"WFLYSVR0025"),1,0) | eval input=if(match(_raw,"input"),1,0) | eval output=if(match(_raw,"output"),1,0) | streamstats sum(wildfly) as wildfly | streanstats sum(input) as input sum(output) as output by wildfly | eval stillrunning=input-output</LI-CODE> Thu, 08 Jul 2021 21:58:43 GMT https://community.splunk.com/t5/Splunk-Search/Subtract-input-from-output/m-p/558767#M158758 ITWhisperer 2021-07-08T21:58:43Z