Splunk Search

Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

DavidRojas
Engager

How can I do Three search in the same query, but the results separate for a week (the results of last 4 weeks), and the result of the three search do a operation math for a final result.

///////////////////////////

This is my query:

index="main_alarms"
| search entity_name ="*"
| dedup alarm_id, source
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats count as eventcount by _time
| rename eventcount as "TotalAlerts"
   | append [ search index="main_alarms"
   | dedup alarm_id, source
   | search entity_name ="*"
   | search alarm_rule="*"
   | where _time>relative_time(now(),"-4w@w")
   | bin _time span=1w
   | where alarm_status_desc = "Closed: False Alarm"
   | stats count as alarm_status_desc by _time
   | rename alarm_status_desc as "AlertsFalse"]
            | append [search index="main_alarms"  
            | dedup alarm_id, source
            | search entity_name ="*"
            | dedup alarm_id, source
            | search alarm_status_desc="*" alarm_rule="*" ActionStatus=*
            | where _time>relative_time(now(),"-4w@w")
            | bin _time span=1w
            | stats count as eventcount1 by _time
            | rename eventcount1 as "AlertsSmart"]
| table "TotalAlerts" "AlertsFalse" "AlertsSmart"

/////////////////////////////////////////////////////////////////////

But this is the result

DavidRojas_0-1622567463389.png

//////////////////////////////////////////

How can I get the result to be in the same row and then do the difference of the week?

| eval Diff=(("TotalAlerts")-("AlertsFalse"+"AlertsSmart"))

 

- The same index in the 3 searchs

- The last 4 weeks

- Diference =(A-(B+C))

- Chart the Columns A B C Diference

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Before the last table command add 

| stats values(*) as * by _time

View solution in original post

DavidRojas
Engager

Thak you ITWhisperer

 

Thak you ITWhisperer

 

I Add this 3 lines in my Query, and the result successfully, thank you so much


| stats values(*) as * by _time
| eval Diff=((AlertsTotals)-(AlertsSmart+AlertsFalse))
| table AlertsTotals AlertsFalse AlertsSmart Diff

 

DavidRojas_0-1622575632190.png

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Before the last table command add 

| stats values(*) as * by _time
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...