Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query for subtracting the timechart span results of two queries

shaycoshay
Engager
‎12-13-2023 03:59 PM

Hello! I'm new to splunk so any help is much appreciated. I have two queries of different index. 

Query1: index=rdc sourcetype=sellers-marketplace-api-prod custom_data | search "custom_data.result.id"="*" | dedup custom_data.result.id | timechart span=1h count

 shaycoshay_1-1702511686857.png

Query2: index=leads host="pa*" seller_summary | spath input="Data" | search "0.lead.form.page_name"="seller_summary" | dedup 0.id | timechart span=1h count

shaycoshay_0-1702511665851.png

I would like to write a query that executes Query1-Query2 for the counts in each hour. It should be in the same format. Thank you!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-13-2023 05:12 PM

Using a multisearch command may be useful here to help standardize some fields before piping the two datasets into a timechart command.

Something like this I think should work.

| multisearch
    [
        | search index=rdc sourcetype=sellers-marketplace-api-prod "custom_data.result.id"="*"
            | fields + _time, index, "custom_data.result.id"
        ]
    [
        | search index=leads host="pa*" seller_summary
            | spath input="Data" 
            | search "0.lead.form.page_name"="seller_summary"
            | fields + _time, index, "0.id"
        ]
    | eval
        identifier=coalesce('custom_data.result.id', '0.id')
    | dedup index, identifier
    | timechart span=1h
        count as count
            by index
    | eval
        diff='leads'-'rdc'

 
Tried to replicate on my local instance with some similarly structured datasets and think it works out.
Resulting dataset should look something like this. (But with your indexes of course)

dtburrows3_0-1702516353818.png

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-13-2023 05:12 PM

Using a multisearch command may be useful here to help standardize some fields before piping the two datasets into a timechart command.

Something like this I think should work.

| multisearch
    [
        | search index=rdc sourcetype=sellers-marketplace-api-prod "custom_data.result.id"="*"
            | fields + _time, index, "custom_data.result.id"
        ]
    [
        | search index=leads host="pa*" seller_summary
            | spath input="Data" 
            | search "0.lead.form.page_name"="seller_summary"
            | fields + _time, index, "0.id"
        ]
    | eval
        identifier=coalesce('custom_data.result.id', '0.id')
    | dedup index, identifier
    | timechart span=1h
        count as count
            by index
    | eval
        diff='leads'-'rdc'

 
Tried to replicate on my local instance with some similarly structured datasets and think it works out.
Resulting dataset should look something like this. (But with your indexes of course)

dtburrows3_0-1702516353818.png

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2023 05:03 PM

It may not be the most efficient method, but this should get you started.

index=rdc sourcetype=sellers-marketplace-api-prod custom_data 
| search "custom_data.result.id"="*" 
| dedup custom_data.result.id | timechart span=1h count as count1
| append [ search index=leads host="pa*" seller_summary 
  | spath input="Data" 
  | search "0.lead.form.page_name"="seller_summary" 
  | dedup 0.id 
  | timechart span=1h count as count2
| stats values(*) as * by _time
| eval diff = count1 - count2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...