map search question

ITSplunk117 — Tue, 20 Feb 2024 14:13:00 GMT

I'm using a modified search from splunksearches.com to get the events from the past two days and returning the difference. For all of the indexes and sourcetypes, if it exists, in the testlookup.

While it works the index and sourcetype does not line up with the results. Mapping I found handles this SPL a little different than a normal search, location of the stats command had to be moved to return the same results.
My question is there a way to modify the SPL so the index/sourcetype lines up with the results? I'm pretty sure I'll eventually get it but already spent enough time on this.
thanks

testlookup: has the columns index and sourcetype

index1	sourcetype1	yesterday	today	difference
test1	st_test1
		10	20	10

Re: map search question

ITWhisperer — Tue, 20 Feb 2024 14:45:42 GMT

map can be slow and limited - try something like this

[| inputlookup testlookup | table index sourcetype] earliest=-2d@d latest=@d | eval day=if(_time < relative_time(now(), "-1d@d"), "Yesterday", "Today") | stats count by day index sourcetype | eval {day}=count | stats values(Today) as Today values(Yesterday) as Yesterday by index sourcetype | fillnull value=0 Yesterday Today | eval difference=abs(Yesterday - Today)

Re: map search question

ITSplunk117 — Tue, 20 Feb 2024 15:00:12 GMT

Thank you this should work quite well for my needs.

topic Re: map search question in Splunk Search

map search question

Re: map search question

Re: map search question