Archive
Highlighted

How can I calculate 2 different search result

New Member

If I do a search in on index and get a value then I need to search another index to get second value. How can I combine these so I am able to calculate the difference? Like 10 - 5 = 5 and then display the result. Is there a way to get the search result into a variable?

Here is an example of the search.
index=sentrion-summary-fine searchname="Firewall Block" |stats count(host) as block
index=sentrion-summary-fine search
name"Summarize Message Categorization, Disposition by 30min"
| search disposition="Deliver" cluster="cluster_1" | stats count as deliver

So from this I would like to calculate block - deliver =
Leif

Tags (1)
0 Karma
Highlighted

Re: How can I calculate 2 different search result

Builder

(index=sentrion-summary-fine searchname="Firewall Block") OR (index=sentrion-summary-fine searchname="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster1") | stats count by searchname

that should give you two columns that you can then calculate the difference using an eval statment

0 Karma
Highlighted

Re: How can I calculate 2 different search result

Builder

you could also use appendcols command but this would kick off two searches.

index=sentrion-summary-fine searchname="Firewall Block" |stats count(host) as block | appendcols [ search index=sentrion-summary-fine searchname"Summarize Message Categorization, Disposition by 30min" | search disposition="Deliver" cluster="cluster_1" | stats count as deliver]

0 Karma
Highlighted

Re: How can I calculate 2 different search result

New Member

Thanks for the tips it was useful. I know have to figure out how to use the eval statement.

0 Karma
Highlighted

Re: How can I calculate 2 different search result

Builder

Because your new field names are the names of the saved search and that they have spaces in them you can not use eval to calculate the difference. you need to first rename the columns so they do not have spaces.

(index=sentrion-summary-fine searchname="Firewall Block") OR (index=sentrion-summary-fine searchname="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster1") | stats count by searchname | rename "Firewall Block" AS FB | rename "Summarize Message Categorization, Disposition by 30min" AS SMC | eval newvalue=FB-SMC

0 Karma
Highlighted

Re: How can I calculate 2 different search result

New Member

Thanks, sorry but I'm new to splunk and not use to its language yet. So one more thing how can I now show the result of the eval newvalue=FB-SMC in the report?

0 Karma
Highlighted

Re: How can I calculate 2 different search result

New Member

Hello,

If I use this:
(index=sentrion-summary-fine searchname="Firewall Block") OR (index=sentrion-summary-fine searchname="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster1") | stats count by searchname | rename "Firewall Block" AS FB | rename "Summarize Message Categorization, Disposition by 30min" AS SMC | eval newvalue=FB-SMC
I get this output
Firewall block 121003
Summarize Message Categorization, Disposition by 30min 56335

0 Karma
Highlighted

Re: How can I calculate 2 different search result

New Member

If I then try this one:
index=sentrion-summary-fine searchname="Firewall Block" |stats count(host) as block | appendcols [ search index=sentrion-summary-fine searchname"Summarize Message Categorization, Disposition by 30min" | search disposition="Deliver" cluster="cluster_1" | stats count as deliver] | eval newvalue=block-deliver
I get this output

block deliver newvalue
121003 56335 64668

0 Karma
Highlighted

Re: How can I calculate 2 different search result

Builder

Things in Splunk are case sensitive, make sure when you are using the rename command that they are in the same case format that is listed in the results.

so if the output is showing the field as
Firewall block <-with a lowercase b
then the rename command is

| rename "Firewall block" AS fb

0 Karma
Highlighted

Re: How can I calculate 2 different search result

New Member

Actually the Firewall block was a typo from my side. so the rename is correct.
But still the eval is not working on the.
(index=sentrion-summary-fine searchname="Firewall Block") OR (index=sentrion-summary-fine searchname="Summarize Message Categorization, Disposition by 30min" disposition="Deliver" cluster="cluster1") | stats count by searchname | rename "Firewall Block" AS FB | rename "Summarize Message Categorization, Disposition by 30min" AS SMC | eval newvalue=FB-SMC

Only get the result
Firewall Block
Summarize Message Categorization, Disposition by 30min

0 Karma