topic Re: Graph the difference between the totals of 2 search calculations in Splunk Search

Graph the difference between the totals of 2 search calculations

GClef — Thu, 29 Feb 2024 21:09:14 GMT

Dear SPLUNKos

I need to create a time chart as per the below
Run one “grand total” search
Run second search which is a dedup of the first search.
Subtract the difference and timechart only the difference.

I have got to the point below which gives me a table of data but I cannot get this to chart : Mr SPLUNK in my organisation tells me this cannot be done which is borne out by the documentation on the timechart command which indicates it can only reference field data not calculated data . Is there a way?

<SEARCH-GRANDTOTAL> | stats count as Grandtotal | appendcols [ <SEARCH-2> | stats count as TotalDeDup ] | eval diff= Grandtotal - TotalDeDup

Re: Graph the difference between the totals of 2 search calculations

PickleRick — Thu, 29 Feb 2024 22:17:14 GMT

What would you want to timechart here as you have only two values? This makes no sense.

Re: Graph the difference between the totals of 2 search calculations

GClef — Thu, 29 Feb 2024 22:27:38 GMT

Timechart the difference against time... The specific use case is in itself around logging I have a third party SaaS provider send logs to our GCP SPLUNK over the internet, issue is they are intermittently and significantly duplicating individual log entries due to something in the way they are forwarding so I want to chart this to have an artefact I can point at for analysis.

Re: Graph the difference between the totals of 2 search calculations

PickleRick — Thu, 29 Feb 2024 23:02:25 GMT

But your search shows just two data points. Without more details on your data it's impossible to help you.

Re: Graph the difference between the totals of 2 search calculations

GClef — Thu, 29 Feb 2024 23:06:35 GMT

I do not believe you need to know about the specifics of the search .. I have 2 searches returning numerical values as per the stats command this could be any search on any data, I am subtracting one from the other and want to graph that value against time.

Re: Graph the difference between the totals of 2 search calculations

PickleRick — Thu, 29 Feb 2024 23:14:11 GMT

Ok, have it your way - don't give more details. Have two values and chart them across time. What do you want to chart? The same value through whole time period? Be my guest. It makes no sense but you apparently know better. But then again - why asking for help in the first place?

Re: Graph the difference between the totals of 2 search calculations

GClef — Thu, 29 Feb 2024 23:20:38 GMT

Thanks, I would appreciate it if you stepped back from this : I will see if anyone else in the community has an idea / understands what I am saying 🙂 Have a great day Rick