https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174409#M50048 <P>That worked perfectly! Thanks for your excellent help.</P> Wed, 11 Dec 2013 11:17:50 GMT leatherface 2013-12-11T11:17:50Z https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174407#M50046 <P>I'm looking to get a list of results of events that should have occured in the last day by running a search with the date range <CODE>earliest=-7d@d latest=-24h</CODE> then running the same search for the range <CODE>earliest=-24h</CODE>, then subtracting the second result from the first to tell me what events happened over the last week but not in the last 24 hours.<BR /> The best I could come up with was to write the results the last 24 hours to a file using <CODE>outputlookup</CODE>:</P><P><BR /> <CODE>index="theindex" earliest=-24h | stats count by theevent| eval seen="yes" | outputlookup lastday.csv</CODE></P><P><BR /> then run a second query that looked back a week</P><P><BR /> <CODE>index="theindex" earliest=-7d@d latest=-24h | stats count by theevent| lookup lastday.csv theevent OUTPUT seen | where NOT seen="yes"</CODE></P> <P>Is there a better way to do this? A single search would make me very happy!<BR /> Thanks in advance</P> Wed, 11 Dec 2013 00:27:22 GMT https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174407#M50046 leatherface 2013-12-11T00:27:22Z https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174408#M50047 <P>Absolutely, you can do this in a single search. It's all about stitching it together. Essentially you can follow the steps here, but adapt it to your needs.</P> <PRE><CODE>index=theindex earliest=-7d latest=-24h theevent=* NOT [search index=theindex earliest=-24h theevent=* | dedup theevent | fields + theevent] | stats c by theevent </CODE></PRE> <P>The resulting table will contain the events that occurred in the last week, but not in the last 24 hours.</P> <P>The inner search (in square brackets) will get executed first and produce a (deduplicated) list of 'theevent', which are appended with a NOT to the outer search. Then you do your stats count.</P> <P>You may even do it in a single search without subsearches, but maybe it won't be more efficient;</P> <PRE><CODE>index=theindex earliest=-7d theevent=* | eval AAA = if(_time &lt; (now() - 86400), "last_week", "today") | dedup theevent AAA | transaction theevent max_events=2| where eventcount=1 AND AAA="last_week" </CODE></PRE> <P>... I think, haven't tested the last one. But it - or something very close - will work as well.</P> <P>/k</P> Wed, 11 Dec 2013 01:33:05 GMT https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174408#M50047 kristian_kolb 2013-12-11T01:33:05Z https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174409#M50048 <P>That worked perfectly! Thanks for your excellent help.</P> Wed, 11 Dec 2013 11:17:50 GMT https://community.splunk.com/t5/Splunk-Search/Subtract-one-search-from-another-based-on-time-of-searches/m-p/174409#M50048 leatherface 2013-12-11T11:17:50Z