Dashboards & Visualizations

Compare number of results of two searches

Znerox
New Member

I have a search X that shows requests, search Y shows responses.
Value A = number of X
Value B = number of Y

I want to calculate a new value C, that is A-B (would show number of requests where response is missing. How can I calculate C?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You might actually do it another way. Assuming you're getting your counts from the pretty much same set of data, probably just being different in some field(s) values you can create a base search to get both of those counts. For example - for logins and logouts - adjust to your case

index=whatever
| stats count(eval(operation="login")) as logins count(eval(operation="logout")) as logouts

Then you can:

1. Have two separate visualizations - each of them displaying just one result field

2. Have a post-process search for that base search

| eval diff=logins-logouts

which you can use for another single value visualization.

This way you can just use one base search for everything.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Znerox ,

you have to append two searches:

<your_search_A>
| stats sum(X) AS A
| append [
     <your_search_B>
     | stats sum(Y) AS B
     ]
| stats values(A) AS A values(B) AS B
| eval C=A-B
| table A B C

Ciao.

Giuseppe

0 Karma

Znerox
New Member

I'm at a loss here. I already have A and B visualized as "single values". The only thing that is missing is the calculation of A-B.

I've tried modifying your code to something that looks like it might make sense. Here I'm trying to reference the searches that are used to visualize A and B. (Access search results ormetadata).

| stats values($<All requests>$) AS A values($<All responses>$) AS B
| eval C=A-B

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In Classic XML dashboards, you can add a <done> stanza to the searches for your singles and set tokens from the first row of the results. You can then use these tokens in your subsequent search.

0 Karma

gcusello
SplunkTrust
SplunkTrust

@Znerox ,

I don't think that you can use a token from two other Single values, but you could use the same search (eventually as base search in this third Single value, using a search like mine.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...