Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare number of results of two searches

Znerox
New Member
2 weeks ago

I have a search X that shows requests, search Y shows responses.
Value A = number of X
Value B = number of Y

I want to calculate a new value C, that is A-B (would show number of requests where response is missing. How can I calculate C?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

You might actually do it another way. Assuming you're getting your counts from the pretty much same set of data, probably just being different in some field(s) values you can create a base search to get both of those counts. For example - for logins and logouts - adjust to your case

index=whatever
| stats count(eval(operation="login")) as logins count(eval(operation="logout")) as logouts

Then you can:

1. Have two separate visualizations - each of them displaying just one result field

2. Have a post-process search for that base search

| eval diff=logins-logouts

which you can use for another single value visualization.

This way you can just use one base search for everything.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Znerox ,

you have to append two searches:

<your_search_A>
| stats sum(X) AS A
| append [
     <your_search_B>
     | stats sum(Y) AS B
     ]
| stats values(A) AS A values(B) AS B
| eval C=A-B
| table A B C

Ciao.

Giuseppe

0 Karma
Reply

Znerox
New Member
2 weeks ago

I'm at a loss here. I already have A and B visualized as "single values". The only thing that is missing is the calculation of A-B.

I've tried modifying your code to something that looks like it might make sense. Here I'm trying to reference the searches that are used to visualize A and B. (Access search results ormetadata).

| stats values($<All requests>$) AS A values($<All responses>$) AS B
| eval C=A-B

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

In Classic XML dashboards, you can add a <done> stanza to the searches for your singles and set tokens from the first row of the results. You can then use these tokens in your subsequent search.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

@Znerox ,

I don't think that you can use a token from two other Single values, but you could use the same search (eventually as base search in this third Single value, using a search like mine.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...