Splunk Search

How can I see the difference in a count for two different types of events by day?

Explorer

Hi,

I would like to see the difference in a count for two different type of events per day. Currently I have it in total but not sure how to split it per day

index="index1" ("first string" OR "second string") | eval First=if(searchmatch("first string"),1,0) | eval Second=if(searchmatch("second string"),1,0) | stats sum(First) as FirstChecks sum(Second) as SecopndChecks | eval missing=FirstChecks - SecondChecks

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

try this

index="index1" ("first string" OR "second string") 
| bin _time span=1d
| eval First=if(searchmatch("first string"),1,0) 
| eval Second=if(searchmatch("second string"),1,0) 
| stats sum(First) as FirstChecks sum(Second) as SecondChecks by _time 
| eval missing= FirstChecks - SecondChecks

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

try this

index="index1" ("first string" OR "second string") 
| bin _time span=1d
| eval First=if(searchmatch("first string"),1,0) 
| eval Second=if(searchmatch("second string"),1,0) 
| stats sum(First) as FirstChecks sum(Second) as SecondChecks by _time 
| eval missing= FirstChecks - SecondChecks

View solution in original post

0 Karma