Splunk Search

Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

DavidRojas
Engager

How can I do Three search in the same query, but the results separate for a week (the results of last 4 weeks), and the result of the three search do a operation math for a final result.

///////////////////////////

This is my query:

index="main_alarms"
| search entity_name ="*"
| dedup alarm_id, source
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats count as eventcount by _time
| rename eventcount as "TotalAlerts"
   | append [ search index="main_alarms"
   | dedup alarm_id, source
   | search entity_name ="*"
   | search alarm_rule="*"
   | where _time>relative_time(now(),"-4w@w")
   | bin _time span=1w
   | where alarm_status_desc = "Closed: False Alarm"
   | stats count as alarm_status_desc by _time
   | rename alarm_status_desc as "AlertsFalse"]
            | append [search index="main_alarms"  
            | dedup alarm_id, source
            | search entity_name ="*"
            | dedup alarm_id, source
            | search alarm_status_desc="*" alarm_rule="*" ActionStatus=*
            | where _time>relative_time(now(),"-4w@w")
            | bin _time span=1w
            | stats count as eventcount1 by _time
            | rename eventcount1 as "AlertsSmart"]
| table "TotalAlerts" "AlertsFalse" "AlertsSmart"

/////////////////////////////////////////////////////////////////////

But this is the result

DavidRojas_0-1622567463389.png

//////////////////////////////////////////

How can I get the result to be in the same row and then do the difference of the week?

| eval Diff=(("TotalAlerts")-("AlertsFalse"+"AlertsSmart"))

 

- The same index in the 3 searchs

- The last 4 weeks

- Diference =(A-(B+C))

- Chart the Columns A B C Diference

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Before the last table command add 

| stats values(*) as * by _time

View solution in original post

DavidRojas
Engager

Thak you ITWhisperer

 

Thak you ITWhisperer

 

I Add this 3 lines in my Query, and the result successfully, thank you so much


| stats values(*) as * by _time
| eval Diff=((AlertsTotals)-(AlertsSmart+AlertsFalse))
| table AlertsTotals AlertsFalse AlertsSmart Diff

 

DavidRojas_0-1622575632190.png

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Before the last table command add 

| stats values(*) as * by _time
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...