Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Graph the difference between the totals of 2 search calculations

GClef
New Member
‎02-29-2024 12:47 PM

Dear SPLUNKos

I need to create a time chart as per the below
Run one “grand total” search
Run second search which is a dedup of the first search.
Subtract the difference and timechart only the difference.

I have got to the point below which gives me a table of data but I cannot get this to chart : Mr SPLUNK in my organisation tells me this cannot be done which is  borne out by the documentation on the timechart command which indicates it can only reference field data not calculated data . Is there a way?

<SEARCH-GRANDTOTAL> | stats count as Grandtotal
|  appendcols [ <SEARCH-2> | stats count as TotalDeDup ]
|  eval diff= Grandtotal - TotalDeDup
Labels (1)
Labels
0 Karma
Reply

GClef
New Member
‎02-29-2024 03:20 PM

Thanks, I would appreciate it  if you stepped back from this : I will see if anyone else in the community has an idea / understands what I am saying 🙂  Have a great day Rick

0 Karma
Reply

GClef
New Member
‎02-29-2024 03:06 PM

I do not believe you need to know about the specifics of the search .. I have 2 searches returning numerical values as per the stats command this could be any search on any data, I am subtracting one from the other and want to graph that value against time. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:14 PM

Ok, have it your way - don't give more details. Have two values and chart them across time. What do you want to chart? The same value through whole time period? Be my guest. It makes no sense but you apparently know better. But then again - why asking for help in the first place?

0 Karma
Reply

GClef
New Member
‎02-29-2024 02:27 PM

Timechart the difference against time...  The specific use case is in itself around logging I have a third party SaaS provider send logs to our GCP SPLUNK over the internet, issue is they are intermittently and significantly duplicating individual log entries due to something in the way they are forwarding so I want to chart this to have an artefact I can point at for analysis.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:02 PM

But your search shows just two data points. Without more details on your data it's impossible to help you.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 02:17 PM

What would you want to timechart here as you have only two values? This makes no sense.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...