https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203935#M59251 <P>Try the following:</P> <PRE><CODE> (index="first" sourcetype="anysourcetype") OR (index="second" sourcetype="otherstr") | stats count as count1 by FIELD1 | appendcols [search index="second" sourcetype="otherstr"| stats count as count2 by FIELD1]| eval Difference=count1-count2 </CODE></PRE> Thu, 03 Nov 2016 12:52:16 GMT niketn 2016-11-03T12:52:16Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203930#M59246 <P>Hi all.</P> <P>I have two basic searches like this:</P> <PRE><CODE>index=first sourcetype=first-sourcetype | stats count by FIELD1 index=second sourcetype=second-sourcetype | stats count by FIELD1 </CODE></PRE> <P><CODE>FIELD1</CODE> has values like ONE, TWO, THREE.</P> <P>I want to calculate the difference between the two searches value per value. How i can do? The two sourcetypes are equal, the difference is the quantity of values on each one.</P> <P>Thanks!</P> Wed, 02 Nov 2016 22:31:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203930#M59246 changux 2016-11-02T22:31:57Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203931#M59247 <P>Try this:</P> <PRE><CODE>(index=first OR index=second) (sourcetype=first-sourcetype OR sourcetype=second-sourcetype) | chart count over FIELD1 by index | eval diff=first-second </CODE></PRE> Wed, 02 Nov 2016 22:43:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203931#M59247 twinspop 2016-11-02T22:43:54Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203932#M59248 <P>Works great. if my searches are:</P> <PRE><CODE>index=first sourcetype=anysourcetype | join ID [search index=second sourcetype=othersrt] </CODE></PRE> <P>and</P> <PRE><CODE>index=second sourcetype=othersrt </CODE></PRE> <P>How i can obtain the same calculation?</P> <P>Thanks!</P> Wed, 02 Nov 2016 23:37:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203932#M59248 changux 2016-11-02T23:37:20Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203933#M59249 <P><STRONG>Option 1</STRONG></P> <P>Step 1: Run search index="first" sourcetype="anysourcetype" and save as Event Type "firstany".</P> <P>Step 2: Run search index="second" sourcetype="othersrt" and save as Event Type "secondother"</P> <P>Step 3: Run the following search query</P> <PRE><CODE>(eventtype="firstany" ) OR (eventtype="secondother") | chart count over FIELD1 by eventtype | eval difference=firstany-secondother </CODE></PRE> <P>Also refer to previous answer on similar lines as this seems to be a duplicate thread.<BR /> <A href="https://answers.splunk.com/answers/470876/how-to-calculate-the-difference-between-count-of-t.html#answer-469923">https://answers.splunk.com/answers/470876/how-to-calculate-the-difference-between-count-of-t.html#answer-469923</A></P> <P><STRONG>Option 2</STRONG></P> <PRE><CODE>(index="first" sourcetype="anysourcetype") OR (index="second" sourcetype="otherstr") | eval statsfield= FIELD1 + " - " + index + " - " + sourcetype | stats count by statsfield | delta count as Difference </CODE></PRE> <P>Please let me know if this is not what you are looking for, so that I may assist.</P> Thu, 03 Nov 2016 06:47:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203933#M59249 niketn 2016-11-03T06:47:24Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203934#M59250 <P>Thanks!<BR /> If my searches are:</P> <PRE><CODE> index=first sourcetype=anysourcetype | join ID [search index=second sourcetype=othersrt] index=second sourcetype=othersrt </CODE></PRE> <P>Any suggestion?</P> Thu, 03 Nov 2016 12:17:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203934#M59250 changux 2016-11-03T12:17:00Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203935#M59251 <P>Try the following:</P> <PRE><CODE> (index="first" sourcetype="anysourcetype") OR (index="second" sourcetype="otherstr") | stats count as count1 by FIELD1 | appendcols [search index="second" sourcetype="otherstr"| stats count as count2 by FIELD1]| eval Difference=count1-count2 </CODE></PRE> Thu, 03 Nov 2016 12:52:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203935#M59251 niketn 2016-11-03T12:52:16Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203936#M59252 <P>It's very tempting to solve this problem with a second join. However breaking down the requirements with paper and pencil, there are other ways to do it in more of a splunklike fashion. (and this means with far better performance, without breaking map-reduce, and with no limits on the size of your results.)</P> <P>The first search (assuming there's an implicit <CODE>| stats count by FIELD1</CODE> on the end as before) is saying "find me the counts for all values of FIELD1, for just the rows in <CODE>index=first sourcetype=anysourcetype</CODE> whose ID appears also in <CODE>index=second sourcetype=othersrt</CODE>. </P> <P>Now to compare the "search1" counts vs the "search2" couonts, we kind of need to transform the incoming rows in two different (kind of mutually exclusive) ways. Obviously we can't transform the results in incompatible ways, and this means we have to do the same work without transforming the incoming rows at all. Whenever you hit this sort of thing you should think of <CODE>eventstats</CODE> and <CODE>streamstats</CODE> because they are your tools for that. </P> <P>So, a way to get search1's, (and I've gone ahead and put back the <CODE>chart count by ID</CODE> bit)</P> <PRE><CODE> (index=first OR index=second) (sourcetype=first-sourcetype OR sourcetype=second-sourcetype) | eventstats values(index) as indexesWithThisID by ID | search indexesWithThisID=second index=first | chart count by ID </CODE></PRE> <P>it's kind of weird. We send eventstats off on a mission to find, for each value of "ID", which indexes that value in across the whole set. We then paint those indexes on each row as a multivalue field called <CODE>indexesWithThisID</CODE>. </P> <P>The end result is that we can filter the set down just with <CODE>| search indexesWithThisID=second index=first</CODE></P> <P>Let's now modify this, so that it can take the FIELD1 counts for these events, and compare them with the FIELD1 counts for the <CODE>index=second sourcetype=othersrt</CODE> events. Here I'm using a conditional eval to break it into steps. </P> <PRE><CODE> (index=first OR index=second) (sourcetype=first-sourcetype OR sourcetype=second-sourcetype) | eventstats values(index) as indexesWithThisID by ID | eval matchesWhichSearch=case(indexesWithThisID="second" AND index="first",1,index="second",2,true(),-1) | search matchesWhichSearch&gt;0 | chart count over FIELD1 by matchesWhichSearch </CODE></PRE> <P>Note - it may make sense for this to be moved out to its own question but I'll leave it here for now. </P> Thu, 03 Nov 2016 17:34:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203936#M59252 sideview 2016-11-03T17:34:49Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203937#M59253 <P>Thanks @sideview, @niketnilay . I need the <CODE>join</CODE>, some context to understand:</P> <P>Each sourcetype has:</P> <P><CODE>index=first sourcetype=anysourcetype</CODE> =&gt; Executed tasks<BR /> <CODE>index=second sourcetype=othersrc</CODE> =&gt; To execute tasks.</P> <P>Then, the join returns to me the REAL executed tasks with some details about it. The field <CODE>FIELD1</CODE> is originally present at <CODE>index=second sourcetype=othersrc</CODE>, so after join, i have the list of REAL executed and the value with states like type1, type2, type3, etc (included in <CODE>FIELD1</CODE>). I need to show the list of NOT EXECUTED tasks classified by <CODE>FIELD1</CODE>.</P> <P>Thanks!</P> Fri, 04 Nov 2016 00:37:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203937#M59253 changux 2016-11-04T00:37:52Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203938#M59254 <P>Anybody? Please help me.</P> Mon, 07 Nov 2016 00:29:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203938#M59254 changux 2016-11-07T00:29:57Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203939#M59255 <P>You can just replace appencols in above example with join ID</P> <P>So try the following:</P> <PRE><CODE>(index="first" sourcetype="anysourcetype") OR (index="second" sourcetype="otherstr") | stats count as count1 by FIELD1 | join ID [search index="second" sourcetype="otherstr"| stats count as count2 by FIELD1]| eval Difference=count1-count2 </CODE></PRE> <P>FYI - append, appendcols, join, stats, eventstats, transaction, subsearch etc are all for event correlation and most of them might fit in to return the results you want. However, you should try job inspector to evaluate which one performs best. Refer to following Splunk documentation on how to choose between various event correlation commands</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation">http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation</A></P> Fri, 03 Mar 2017 21:08:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-in-field-values/m-p/203939#M59255 niketn 2017-03-03T21:08:45Z