https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696753#M236797 <P>Hi thanks for pointing that out.&nbsp;&nbsp;<BR />The&nbsp; &nbsp;<EM>"by bookmark_status_display"&nbsp; &nbsp;</EM>was indeed unneeded as I'm specifying&nbsp; which status it is in the query&nbsp; hence the&nbsp; actual query should be:&nbsp;<BR /><BR /></P> <LI-CODE lang="markup">| sseanalytics 'bookmark' | where bookmark_status="bookmarked" | stats count(bookmark_status_display) AS "Bookmark Status" </LI-CODE> <P><BR />-&nbsp; Once taking that into considereation i was able to use the following for the result :<BR /><BR /></P> <LI-CODE lang="markup">| rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" | appendcols [sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status"] | eventstats values(Count) as Count | eval diff = 'Bookmark Status' - Count | table diff</LI-CODE> <P><BR />Thank you 100!</P> Mon, 19 Aug 2024 18:02:22 GMT AcePilot 2024-08-19T18:02:22Z https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696546#M236726 <P>Im trying to substract&nbsp; the total number i have of alerts that send and email&nbsp; from the total amount of alerts that are bookmarked in SSE.&nbsp; The only examples I found on the community used either the same index, or sub-searches (neither worked in my scenario)<BR /><BR /><STRONG>My query for&nbsp; the alerts is :</STRONG><BR /><BR /></P> <LI-CODE lang="markup">| rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" </LI-CODE> <P><BR /><STRONG>My query for bookmarks is:&nbsp;</STRONG><BR /><BR /></P> <LI-CODE lang="markup">| sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display</LI-CODE> Fri, 16 Aug 2024 21:12:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696546#M236726 AcePilot 2024-08-16T21:12:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696556#M236731 <P>You realize that the first search results in one single row, and the second gives a series of rows, right? &nbsp;Without illustrating or describing what your desired output look like, you are asking volunteers to read your mind. &nbsp;This is generally a bad idea on a forum like this.</P><P>If your requirement is to subtract singular Count in the first search from "Bookmark Status" in every row in the second search, you can do something as simple as</P><P>&nbsp;</P><LI-CODE lang="markup">| rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" | appendcols [sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display] | eventstats values(Count) as Count | eval diff = 'Bookmark Status' - Count</LI-CODE><P>&nbsp;</P><P>Here I am using appendcols instead of the usual approach using append because one of the searches only gives out one single row. &nbsp;This is not the most semantic approach but sometimes I like code economy. &nbsp;In fact, this method applies to any two searches as long as one of them yields a single row.</P><P>Here is an emulation as proof of concept:</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats count AS Count where index=_internal ``` the above emulates | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" ``` | appendcols [tstats count AS "Bookmark Status" where index=_introspection by sourcetype | rename sourcetype AS bookmark_status_display ``` this subsearch emulates | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display ``` ] | eventstats values(Count) as Count | eval diff = 'Bookmark Status' - Count</LI-CODE><P>&nbsp;</P><P>You will get something like</P><TABLE><TBODY><TR><TD>Count</TD><TD>Bookmark Status</TD><TD>bookmark_status_display</TD><TD>diff</TD></TR><TR><TD>151857</TD><TD>201</TD><TD>http_event_collector_metrics</TD><TD>-151656</TD></TR><TR><TD>151857</TD><TD>2365</TD><TD>kvstore</TD><TD>-149492</TD></TR><TR><TD>151857</TD><TD>57</TD><TD>search_telemetry</TD><TD>-151800</TD></TR><TR><TD>151857</TD><TD>462</TD><TD>splunk_disk_objects</TD><TD>-151395</TD></TR><TR><TD>151857</TD><TD>303</TD><TD>splunk_telemetry</TD><TD>-151554</TD></TR></TBODY></TABLE> Sat, 17 Aug 2024 06:10:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696556#M236731 yuanliu 2024-08-17T06:10:49Z https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696559#M236733 <P>Apart from the technicalities which <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a> already tackled, there is also a logical flaw in your approach. Even if you aggregate your second search output into a single count you have two relatively unrelated values. Substracting cardinalities makes sense only if one set is a subset of another one. In your case those sets may overlap but one doesn't have to be included in the other.</P> Sat, 17 Aug 2024 07:03:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696559#M236733 PickleRick 2024-08-17T07:03:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696753#M236797 <P>Hi thanks for pointing that out.&nbsp;&nbsp;<BR />The&nbsp; &nbsp;<EM>"by bookmark_status_display"&nbsp; &nbsp;</EM>was indeed unneeded as I'm specifying&nbsp; which status it is in the query&nbsp; hence the&nbsp; actual query should be:&nbsp;<BR /><BR /></P> <LI-CODE lang="markup">| sseanalytics 'bookmark' | where bookmark_status="bookmarked" | stats count(bookmark_status_display) AS "Bookmark Status" </LI-CODE> <P><BR />-&nbsp; Once taking that into considereation i was able to use the following for the result :<BR /><BR /></P> <LI-CODE lang="markup">| rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" | appendcols [sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status"] | eventstats values(Count) as Count | eval diff = 'Bookmark Status' - Count | table diff</LI-CODE> <P><BR />Thank you 100!</P> Mon, 19 Aug 2024 18:02:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-substract-the-results-of-two-different-searches/m-p/696753#M236797 AcePilot 2024-08-19T18:02:22Z