Splunk Search

Comparing results from two searches

dcparker
Path Finder

Hello,

I am trying to compare the standard deviation from the last 24 hours to the standard deviation of the last 3 hours. I have my search, which is basically this:

earliest = -24h@h latest = @h | timechart span=1h count | stats stdev(count) as test | append [ search earliest = -3h@h latest = @h | timechart span=1h count | stats stdev(count) as testsub ]

The search is working fine, but returns two rows. The problem is that only one field in each row is populated from the search. It looks like this:
alt text

However, I cannot compare those two values, I think because of the empty fields in each row. Is there a way to get these in the same row or a better way to compare them? I have tried eval, where, and a lot of different ways to compare them. Any help is appreciated!

Tags (2)
0 Karma
1 Solution

kmattern
Builder

Make your subsearch appendcols instead of append. You'll get everything in one row.

earliest = -24h@h latest = @h | timechart span=1h count | stats stdev(count) as test | appendcols [ search earliest = -3h@h latest = @h | timechart span=1h count | stats stdev(count) as testsub ]

alt text

View solution in original post

kmattern
Builder

Make your subsearch appendcols instead of append. You'll get everything in one row.

earliest = -24h@h latest = @h | timechart span=1h count | stats stdev(count) as test | appendcols [ search earliest = -3h@h latest = @h | timechart span=1h count | stats stdev(count) as testsub ]

alt text

Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...