Dashboards & Visualizations

Compare number of results of two searches

Znerox
New Member

I have a search X that shows requests, search Y shows responses.
Value A = number of X
Value B = number of Y

I want to calculate a new value C, that is A-B (would show number of requests where response is missing. How can I calculate C?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You might actually do it another way. Assuming you're getting your counts from the pretty much same set of data, probably just being different in some field(s) values you can create a base search to get both of those counts. For example - for logins and logouts - adjust to your case

index=whatever
| stats count(eval(operation="login")) as logins count(eval(operation="logout")) as logouts

Then you can:

1. Have two separate visualizations - each of them displaying just one result field

2. Have a post-process search for that base search

| eval diff=logins-logouts

which you can use for another single value visualization.

This way you can just use one base search for everything.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Znerox ,

you have to append two searches:

<your_search_A>
| stats sum(X) AS A
| append [
     <your_search_B>
     | stats sum(Y) AS B
     ]
| stats values(A) AS A values(B) AS B
| eval C=A-B
| table A B C

Ciao.

Giuseppe

0 Karma

Znerox
New Member

I'm at a loss here. I already have A and B visualized as "single values". The only thing that is missing is the calculation of A-B.

I've tried modifying your code to something that looks like it might make sense. Here I'm trying to reference the searches that are used to visualize A and B. (Access search results ormetadata).

| stats values($<All requests>$) AS A values($<All responses>$) AS B
| eval C=A-B

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In Classic XML dashboards, you can add a <done> stanza to the searches for your singles and set tokens from the first row of the results. You can then use these tokens in your subsequent search.

0 Karma

gcusello
SplunkTrust
SplunkTrust

@Znerox ,

I don't think that you can use a token from two other Single values, but you could use the same search (eventually as base search in this third Single value, using a search like mine.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...