Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Compare values of main search and subsearch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
parker_ryan
Engager
01-21-2021
02:18 PM
I am looking to compare the count of transactions processed in a 3 hour window to the count of transactions made in that same timeframe 3 days prior. I would like to set the count of the first search as variable such as count1 and likewise for the second search as count2. Then I could do a comparison to alert when the difference in transactions is outside 20%
(where Count1 <= Count2*0.8 OR Count1 >=Count2*1.2)
My search currently looks like this (It is not functional, so I would love to know how to fix it):
index=sales messageType=AuthPaymentReply earliest=-246h latest=-243h
| dedup OrderId
| search Status="Success"
| stats count by Status as Count1
| search [search index=sales messageType=AuthPaymentReply earliest=3h latest=now
| dedup OrderId
| search Status="Success"
| stats count by Status as Count2]
| where Count1 <= Count2*0.8 OR Count1 >=Count2*1.2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
01-21-2021
09:07 PM
hi @parker_ryan ,
Try this query.
Subsearch returns count for the last 3 hours and main search returns count for the same timeframe 3 days prior.
index=sales messageType=AuthPaymentReply earliest=-3d@-3h latest=-3d Status="Success"
| dedup OrderId
| stats count as Count1
| appendcols
[ search index=sales messageType=AuthPaymentReply earliest=-3h latest=now Status="Success"
| dedup OrderId
| stats count as Count2]
| where Count1 <= Count2*0.8 OR Count1 >=Count2*1.2
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
parker_ryan
Engager
01-22-2021
08:52 AM
@manjunathmeti That worked! Thank you so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
01-21-2021
09:07 PM
hi @parker_ryan ,
Try this query.
Subsearch returns count for the last 3 hours and main search returns count for the same timeframe 3 days prior.
index=sales messageType=AuthPaymentReply earliest=-3d@-3h latest=-3d Status="Success"
| dedup OrderId
| stats count as Count1
| appendcols
[ search index=sales messageType=AuthPaymentReply earliest=-3h latest=now Status="Success"
| dedup OrderId
| stats count as Count2]
| where Count1 <= Count2*0.8 OR Count1 >=Count2*1.2
If this reply helps you, an upvote/like would be appreciated.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
It’s go time — Boston, here we come!
Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...
Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
