Solved: Subtract events of two searches

Katsche · ‎10-10-2011

Hi all,

I have two searches here, which are nearly the same (5 Events more at one of them).
Is it somehow possible to Subtract the 289 events of the first search from the 294 other events of the second search?

Kind regards,
Katsche

Paolo_Prigione · ‎10-10-2011

Can the set command help you?

View solution in original post

Paolo_Prigione · ‎10-10-2011

Can the set command help you?

Katsche · ‎10-10-2011

Sadly there is not... but a new machine is already ordered. (12 CPU cores plus Hyperthreading instead of 2 cores witouht Hyperthreading and 96GB instead of 2GB RAM, that should work! xD)

Paolo_Prigione · ‎10-10-2011

ouch... I think Splunk doesn't provide a "| addRAM" command OOTB... 🙂

Katsche · ‎10-10-2011

Ok, this is the answer, but I will have to figure out something else, because there is not enough RAM on my machine to run such a strong search...

Katsche · ‎10-10-2011

Just checked the Search Reference Manual. Looks very promising. Let me run my search and I will get back to you. 🙂

Katsche · ‎10-10-2011

I'd like to now the 5 events which are more.

Subtract events of two searches

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes