Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Finding the difference between to separate fields?

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Finding the difference between to separate fields?

dreschke

Explorer

06-13-2018
08:16 AM

Good morning everyone,

I am trying to find the difference between to fields. I have tried the eval command to subtract between the 2 fields and I have also tried to use the delta command to find the difference. Is there something that i am missing to accomplish this?

Here is the search that i am using below:

index=abc sourcetype=xxx field=xyz

|stats count by Code | stats sum(count) as total2

| append [search index=abc sourcetype=xxx field=xyz

| stats count as total ] | eval total3=(total - total2) | table total, total2, total3

Thank you all for your help with. It seems so simple to me but i just can't get it to work or I am missing something. Thanks again everyone.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

renjith_nair

SplunkTrust

06-13-2018
08:49 AM

Does this work for you ?

```
index=abc sourcetype=xxx field=xyz|eventstats count as total|stats count as code_count,first(total) as total by code|stats sum(code_count) as total2,first(total) as total|eval total3=total-total2
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

dreschke

Explorer

06-13-2018
10:09 AM

Hello, renjith.nair thanks for your help, your search help me get a step closer to what i am looking for. The over all goal is to find the difference between an overall total and a specific total in order to produce a N/A field.

I tired to expand on what you gave me but I am not able to get the overall total. that what the appended search in my original search was trying to bring in. I removed the field=xyz from the append search since that might be confusing some people. Thanks for your help.

index=abc sourcetype=xxx field=xyz

|stats count by Code | stats sum(count) as total2

| append [search index=abc sourcetype=xxx

| stats count as total ] | eval total3=(total - total2) | table total, total2, total3

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

renjith_nair

SplunkTrust

06-13-2018
08:01 PM

Are you getting the total event after the search`index=abc sourcetype=xxx field=xyz|eventstats count as total|table total`

?

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

dreschke

Explorer

06-14-2018
05:12 AM

For my search that I am using the eventstats and the stats count by code are bringing the same name number, so the eval will always result in a 0. One search be bringing in an overall total amount and the other search should bringing in a number that is always less the over all total. I updated the search I originally provided due to so new items that will hopefully show what i am trying to achieve.

Search 1: Gives a count by Code and then an overall total (adding all the Code totals together)

index=test sourcetype=xxx url="www.test123.com/login"

|lookup USER.csv Username AS Username, OUTPUTNEW LoginID as LoginID, Code AS Code

| search LoginID=*

| table Username LoginID Code

|stats count by Code | stats sum(count) as total2

Search2: Gives over all total

| append [search index=test sourcetype=xxx url="www.test123.com/login"

| stats count as total | eval abc=(total-total2) | table total total2 abc ]

Hopefully this help. The logic behind your search works i just to figure how to get the overall total and the Code total together to find the difference.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

somesoni2

SplunkTrust

06-14-2018
08:09 AM

It seems like you're getting a count of events where you've a matching LoginID from USER.csv, then getting total events, regardless whether they are in lookup or not, and then finding difference. Assuming base search for both is same, try somethign liek this

```
index=test sourcetype=xxx url="www.test123.com/login"
|lookup USER.csv Username AS Username, OUTPUTNEW LoginID as LoginID, Code AS Code
| stats count(LoginID) as total2 count as total
| eval abc=total-total2 | table total total2 abc
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

dreschke

Explorer

06-14-2018
08:54 AM

Hi somesoni2,

This is still giving a result of 0. I am still not seeing the results from my second search:

index=test sourcetype=xxx url="www.test123.com/login"

| stats count as total

The first search is what is narrowing down the results and giving me the over all total. Thanks you for help though you search worked just the results are coming out as zero.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Finding the difference between to separate fields?

somesoni2

SplunkTrust

06-14-2018
09:04 AM

Is there any difference is the both searches (apart from stats calculation)? The query I wrote above will give difference of events between total events and events where LoginID is available (base search is same). Try this little inefficient version as well

```
index=abc sourcetype=xxx field=xyz
|stats count by Code | stats sum(count) as total2
| appendcols [search index=abc sourcetype=xxx field=xyz
| stats count as total ] | eval total3=(total - total2) | table total, total2, total3
```