Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract outcome of count

rijk
Explorer
‎05-20-2014 07:21 AM

I have two saved searches, saved them as macros.

1: [search sourcetype="brem" sanl31 eham Successfully completed (cc*) | fields MessageTime] sanl31 eham Successfully completed cc* | stats count

This is saved as brem_correction_count

2: [search sourcetype="brem" sanl31 eham Successfully completed (cc*) | fields MessageTime] sanl31 eham Successfully completed NOT cc* | stats count

This is saved as brem_corrected_count

How can I use these searches to subtract the outcome of the 2 searches?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-20-2014 10:05 AM

First, I don't understand what the subsearch is doing in either one of these. I think you can simplify like this:

Search 1:

sourcetype="brem" sanl31 eham Successfully completed cc* | stats count

Search 2:

sourcetype="brem" sanl31 eham Successfully completed NOT cc* | stats count

The fastest search that would calculate the difference would probably be

sourcetype="brem" sanl31 eham Successfully completed
| eval ccType=if(match(_raw,"\bcc"),"Yes","No")
| stats count(eval(ccType="Yes")) as ccCount count(eval(ccType="No")) as NotCcCount
| eval diff =ccCount - NotCcCount

View solution in original post

Reply
Solved! Jump to solution

rijk
Explorer
‎05-21-2014 12:35 AM

Many thanks for you answer, it does exactly what I needed. The subsearch is needed to find two related messages based on a field MessageTime. Sorry that I confused you, but the subsearch is needed.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-20-2014 10:05 AM

First, I don't understand what the subsearch is doing in either one of these. I think you can simplify like this:

Search 1:

sourcetype="brem" sanl31 eham Successfully completed cc* | stats count

Search 2:

sourcetype="brem" sanl31 eham Successfully completed NOT cc* | stats count

The fastest search that would calculate the difference would probably be

sourcetype="brem" sanl31 eham Successfully completed
| eval ccType=if(match(_raw,"\bcc"),"Yes","No")
| stats count(eval(ccType="Yes")) as ccCount count(eval(ccType="No")) as NotCcCount
| eval diff =ccCount - NotCcCount
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...