Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Graph the difference between the totals of 2 search calculations

GClef
New Member
‎02-29-2024 12:47 PM

Dear SPLUNKos

I need to create a time chart as per the below
Run one “grand total” search
Run second search which is a dedup of the first search.
Subtract the difference and timechart only the difference.

I have got to the point below which gives me a table of data but I cannot get this to chart : Mr SPLUNK in my organisation tells me this cannot be done which is  borne out by the documentation on the timechart command which indicates it can only reference field data not calculated data . Is there a way?

<SEARCH-GRANDTOTAL> | stats count as Grandtotal
|  appendcols [ <SEARCH-2> | stats count as TotalDeDup ]
|  eval diff= Grandtotal - TotalDeDup
Labels (1)
Labels
0 Karma
Reply

GClef
New Member
‎02-29-2024 03:20 PM

Thanks, I would appreciate it  if you stepped back from this : I will see if anyone else in the community has an idea / understands what I am saying 🙂  Have a great day Rick

0 Karma
Reply

GClef
New Member
‎02-29-2024 03:06 PM

I do not believe you need to know about the specifics of the search .. I have 2 searches returning numerical values as per the stats command this could be any search on any data, I am subtracting one from the other and want to graph that value against time. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:14 PM

Ok, have it your way - don't give more details. Have two values and chart them across time. What do you want to chart? The same value through whole time period? Be my guest. It makes no sense but you apparently know better. But then again - why asking for help in the first place?

0 Karma
Reply

GClef
New Member
‎02-29-2024 02:27 PM

Timechart the difference against time...  The specific use case is in itself around logging I have a third party SaaS provider send logs to our GCP SPLUNK over the internet, issue is they are intermittently and significantly duplicating individual log entries due to something in the way they are forwarding so I want to chart this to have an artefact I can point at for analysis.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:02 PM

But your search shows just two data points. Without more details on your data it's impossible to help you.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 02:17 PM

What would you want to timechart here as you have only two values? This makes no sense.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...