Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate Difference Between Outputs of two Scheduled Searches

jodros
Builder
‎09-19-2012 08:16 AM

I have two scheduled searches that each output a single numerical value to populate panels on a dashboard. I want to add a third panel to simply show the difference between the two. I have read several threads on splunk answers but none have helped me with this issue. Each search is somewhat complex and takes a bit of time to run, so I scheduled them to run and cache their results for the dashboard. I have read and tried using savedsearch and append. I have also tried to utilize OR and eval. I have read where using join is discouraged. Best case would be to simply take the already ran results and simply eval them, without have to run both searches again.

Any assistance would be appreciated. Thanks.

Edit:
Would it help if I included the searches that are running on a schedule?
Search 1:

`sourcetype=a tag=prod | dedup c_uid | stats count(c_uid)`

Search 2:

`sourcetype=a tag=prod [search sourcetype=b tag=prod audit_event="AUTHN_SUCCESS" | dedup b_uid | fields b_uid | format maxresults=20000] | dedup c_uid | stats count(c_uid)`

Search 1 will always be more than search 2, and I would like to show that difference in a panel on the dashboard. The other alternative is not to show the difference and just let the VP do the math, which isn't a good option.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-20-2012 07:09 AM

I think this should work:

| loadjob savedsearch="user:app:yoursavedsearch" | append [| loadjob savedsearch="user:app:yourothersavedsearch"] | delta count(c_uid) as diff

This will create the field "diff" that you could show in a panel.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-20-2012 07:09 AM

I think this should work:

| loadjob savedsearch="user:app:yoursavedsearch" | append [| loadjob savedsearch="user:app:yourothersavedsearch"] | delta count(c_uid) as diff

This will create the field "diff" that you could show in a panel.

Reply
Solved! Jump to solution

flo_cognosec
Communicator
‎06-02-2014 01:11 AM

Interesting enough I can't seem to find the necc. job-id's and when using the names of scheduled saved searches, I get the error message that no search artifacts could be found even though the searches ran and can be viewed.
Is a stats command in the saved searches a problem ?

0 Karma
Reply
Solved! Jump to solution

jodros
Builder
‎09-20-2012 07:39 AM

Thank you! I knew it would be something simple like that. I modified your suggestion slightly but it works great.

| loadjob savedsearch="user:app:yoursavedsearch" | append [| loadjob savedsearch="user:app:yourothersavedsearch"] | stats range(count(c_uid) as diff

This allows me not to have to worry about negative integers.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...