Can a Splunk alert be triggered by comparing a single integer value returned by two searches?


Is it possible to write two searches, each of which returns a single integer result, and trigger an alert based on whether the value returned by search 1 is greater than the value returned by search 2?


You can do all this in one search

search A | append [search B] | compute here...


index=_internal earliest=-20s | stats count as value | append [search index=_internal earliest=-10s | stats count as value] | eventstats sum(value) as Total | eval flag = if((value > (Total-value)),"Y","N") | head 1 | search flag="Y"

