Splunk Search

Displaying difference between two search query stats

jmalachoSPL64
Engager

I am using the following query to retrieve events that I then display.  I would like to add another column that is the difference between the two columns.

each log event has a field called app_elements={eventtype='event1','widget'='apple'), for example

The query:

index="aws" level="info"  env="dev" earliest=-72h latest=-48h| spath input=app_elements | stats count by eventtype | eval Period="Before" | append [search index="aws" level="info" env="dev" earliest=-24h latest=now| spath input=app_elements | stats count by eventtype | eval Period="Now" ] | chart sum(count) over eventtype by Period

The current result:

eventtype                             Before                    Now

event1                                       10                           20

event2                                       15                           12

event3                                       22                           20

event4                                       5                                8

 

The desired result:

eventtype                             Before                    Now                Difference

event1                                       10                           20                         10

event2                                       15                           12                          -3

event3                                       22                           20                          -2

event4                                       5                                8                            3

Labels (3)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

@jmalachoSPL64 Difference seems not consistent however is this what you are looking for?

 

<your_whole_search>
| eval Difference = Before - Now
| table eventype Before Now Difference

 

 

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

@jmalachoSPL64 Difference seems not consistent however is this what you are looking for?

 

<your_whole_search>
| eval Difference = Before - Now
| table eventype Before Now Difference

 

 

jmalachoSPL64
Engager

thanks venkatasri.   I threw in a fillnull to zero out the events that don't occur on particular days and it looks great.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...