Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge two search queries of same source and get the difference using splunk ?

kanamarlapudive
New Member
‎12-08-2019 10:13 PM

Hi team,

I have two below queries, can you please suggest how to merge and get difference of counts in separate column.

index=A | rex field=_raw command=(?Common ID\w+) | stats count by CountA

And

index=A | rex field=_raw command=(? Common ID\w+) | stats count by CountB

The Common ID i am getting through rex command.

I am looking for the below output in columns format.

Common ID  Count A  Count B   Difference ( i.e. Count A - Count B)

Kindly suggest on this any approach, i have tried subsearch and join and am unable to get the result.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-13-2019 04:07 AM

Like this:

index="A" AND ("StringA" OR "StringB")
| rex "some RegEx with capture for commonID here"
|stats count(eval(searchmatch("StringA"))) AS CountA count(eval(searchmatch("StringB"))) AS CountB BY commonID
| eval Difference = CountA - CountB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-13-2019 02:57 AM

Edit your post and fix your rex commands.

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎12-09-2019 12:28 AM

@kanamarlapudivenkatanagavinaykumar ,

Try using eval in stats.

Assuming that countA and B are values of a field , 

index=A | rex field=_raw command=(?Common ID\w+)
|stats count(eval(field_name=="countA")) as countA,
       count(eval(field_name=="countB")) as countB by CommonID
|eval Difference=countA-countB
Happy Splunking!
0 Karma
Reply

kanamarlapudive
New Member
‎12-09-2019 12:56 AM

Hi Renjith,
it is not working, i have updated my question.

index=A Search String A| rex field=_raw command=(?CommonID\w+) | stats count as CountA by CommonID

index=A Search String B | rex field=_raw command=(? CommonID\w+) | stats count as CountB by CommonID

Common ID i am getting through rex command.

I am looking for the below output in columns format.

Common ID Count A Count B Difference ( i.e. Count A - Count B)

Kindly suggest on this any approach, i have tried subsearch and joins. Unable to get the result.

0 Karma
Reply

kanamarlapudive
New Member
‎12-12-2019 06:21 AM

Hi renjith,
I found the partial solution for my problem.

index=A ("StringA" OR "StringB")
|stats count(eval(searchmatch("StringA"))) as CountA ,count(eval(searchmatch("StringB"))) as CountB by commonID

with this i am able to achieve the data in below format.

Common ID Count A Count B

I am not getting Difference as another column, can you please tell how to get the difference as a separate column in results.

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎12-13-2019 12:51 AM

@kanamarlapudivenkatanagavinaykumar ,
whats the result of ?

|eval diff=CountA - CountB
Happy Splunking!
0 Karma
Reply

kanamarlapudive
New Member
‎12-08-2019 10:16 PM

Hi team,

I have corrected the statements for everyone understanding.

Hi team,

I have two below queries, can you please suggest how to merge and get difference of counts in separate column.

index=A Search String A| rex field=_raw command=(?Common ID\w+) | stats count as CountA by CommonID

index=A search string B | rex field=_raw command=(? Common ID\w+) | stats count as CountB by CommonID

Common ID i am getting through rex command.

I am looking for the below output in columns format.

Common ID Count A Count B Difference ( i.e. Count A - Count B)

Kindly suggest on this any approach, i have tried subsearch and joins. Unable to get the result.

0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...