Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to find the difference between two fields?

sunnyparmar
Communicator
‎02-02-2016 04:54 AM

Hi,

I have a search given below. All is working fine, but in last I want to sort out difference between total-acknowledged which I am not getting, so please suggest here.

(host="e2e-onp-front" response="Message acknowledged successfully*")    OR      (host= "e2e-onp-bl-db" DocumentNotificationHookServiceImpl Successfully created notification ) org=*|rex "Successfully (?<response>created) notification"|eval notifications=if(match(response,"created"),"      Total", "Acknowledged")| stats  count by notifications | eval Diff = Total - Acknowledged

Thanks in advance

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-02-2016 05:14 AM

Try a bit different approach. Join the eval in the stats, something like below. You might need to adjust for your final requirements

 (host="e2e-onp-front" response="Message acknowledged successfully*")      OR        (host= "e2e-onp-bl-db" DocumentNotificationHookServiceImpl Successfully created notification ) org=*|rex "Successfully (?<response>created) notification"|stats count(eval(like(response,"%created%"))) AS Total, count(eval(NOT like(response,"%created%"))) as Acknowledge| eval Diff = Total - Acknowledged
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

rakeshh123
Path Finder
‎02-03-2016 01:54 AM

Hello sunnyparmer,
i just changed order of the queries and changed stats to eventstats in the query ........I actually worked on my data with a similar query it is working fine..this is just due to the fact stats cannot pass data to another stats command in chain you have to use eventstats for that....i am sending screenshot of my query and data....
alt text

(host="e2e-onp-front" response="Message acknowledged successfully*") OR (host= "e2e-onp-bl-db" DocumentNotificationHookServiceImpl Successfully created notification ) org=|rex "Successfully (?created) notification"|eventstats count by notifications*|stats count(eval(like(response,"%created%"))) AS Total, count(eval(NOT like(response,"%created%"))) as Acknowledge| eval Diff = Total - Acknowledged...
Let me know if it works

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-02-2016 05:14 AM

Try a bit different approach. Join the eval in the stats, something like below. You might need to adjust for your final requirements

 (host="e2e-onp-front" response="Message acknowledged successfully*")      OR        (host= "e2e-onp-bl-db" DocumentNotificationHookServiceImpl Successfully created notification ) org=*|rex "Successfully (?<response>created) notification"|stats count(eval(like(response,"%created%"))) AS Total, count(eval(NOT like(response,"%created%"))) as Acknowledge| eval Diff = Total - Acknowledged
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 06:29 AM

Thanks.. You are close enough but displaying result is not exact.. Could you please rearrange these?

  1. | stats count by notifications | delta count as diff p=1

notification count diff
Acknowledged 38
Total 2 36

  1. your search| stats count by notification|transpose 2|rename "row 1" as Acknowledged,"row 2" as Total|eval Diff=Total-Acknowledged|search column=count|fields - column

Acknowledged Total Diff
2 38 36

  1. your search |stats count by notification|streamstats last(count) as newcount current=f|eval Diff=newcount-count|eventstats last(Diff) as Diff|fields - newcount

notifications count Diff
Acknowledged 2 -36
Total 38 -36

0 Karma
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 06:30 AM

second one is more appropriate but the issue is notification column is vanished from it.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2016 07:01 AM

In the second one, the notification is transposed as Acknowledged and Total and the correspoding counts are shown under each column. Where do you wantto display notification now? How should be your final result looks like?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 09:34 PM

final result will be look like -

notification Counts
Total 38
Acknowledged 2
Difference 36

Thanks

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2016 10:07 PM

Alright. Try this

     (host="e2e-onp-front" response="Message acknowledged successfully*") OR (host= "e2e-onp-bl-db" DocumentNotificationHookServiceImpl Successfully created notification ) org=*
     |rex "Successfully (?<response>created) notification"|eval notifications=if(match(response,"created"),"Total", "Acknowledged")
     |stats  count by notifications
     |delta count as Difference p=1| appendpipe [|stats values(Difference) as Difference|eval notifications="Difference"|eval count=Difference]|fields - Difference
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 10:12 PM

Great buddy.. thanks a ton...

0 Karma
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 05:22 AM

thanks for replying but still getting no difference with the query. Even by executing your query i have lost my notification column under which "Total" and "Acknowledged" parameters showing previously. Now it is showing only Total=38 and Acknowledged=2 columns. Notification column is vanished.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2016 05:46 AM

Diff is not showing since there is a typo ie : | eval Diff = Total - Acknowledge

In your first search , the Total and Acknowledged are on diff rows (ie: stats count by notification). So where do you want to dislpay the difference?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 05:57 AM

i want to display it in the dashboard result.. Currently i am getting two columns. first is notifications under which i am getting "Total" and "Acknowledged" values and other one is count column under which i am getting "38" and "2" values respectively so now i want third column in which it will show the difference of Total-Acknowledged.

Thanks

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2016 06:10 AM

Yes, got it, Your result is 

notification                  count
Acknowledged            38
Total                             2

So in third column, which row you want to display the diff ?

  1. Easiest method is using delta ie : | stats count by notifications | delta count as diff p=1

  2. If you want to transpose the complete table, then use

    your search| stats count by notification|transpose 2|rename "row 1" as Acknowledged,"row 2" as Total|eval Diff=Total-Acknowledged|search column=count
    |fields - column

  3. If you want to print diff in all columns

    your search |stats count by notification|streamstats last(count) as newcount current=f|eval Diff=newcount-count|eventstats last(Diff) as Diff|fields - newcount

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2016 05:03 AM

Are you sure your base query is producing events with Total and Acknowledged fields? Without the fields, a difference cannot be computed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 05:05 AM

thanks for answering.. yes my base query is production events with total=38 and acknowledged=2 so i want the rest of the difference 36 to be shown in dashboard with these two values.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2016 05:12 AM

Case is significant with field names. If the names are "total" and "acknowledged" then your query must be ... | eval Diff = total - acknowledged.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sunnyparmar
Communicator
‎02-02-2016 05:15 AM

in both words first alphabet are capital like i have pasted in my own query.

| eval Diff = Total - Acknowledged

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...