Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you subtract values from an appended se...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jephillips
Explorer
02-06-2019
06:13 AM
I'm trying to run the below searches and get the subtracted value from them. However, the eval command is not giving me a new Difference field. I just get the results of the separate searches.
index=a sourcetype=test start=* end=* | eventstats count as Total1
| append [search index=a sourcetype=test start=* end=* xfer=* | eventstats count as Total2]
| eval Difference=Total1 - Total2
I'd like a chart that with a row for all three values.
Total1 Total2 Difference
10 8 2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
02-06-2019
06:46 AM
Hello @jephillips ,
Try this:
index=a sourcetype=test start= end= | stats count as Total1
| appendcols [search index=a sourcetype=test start= end= xfer=* | stats count as Total2]
| eval Difference=Total1 - Total2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
02-06-2019
06:51 AM
You can try the below search-
index=a sourcetype=test start= end= | stats count as Total1
| appendcols [search index=a sourcetype=test start= end= xfer=* | stats count as Total2]
| eval Difference=Total1 - Total2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
02-06-2019
06:46 AM
Hello @jephillips ,
Try this:
index=a sourcetype=test start= end= | stats count as Total1
| appendcols [search index=a sourcetype=test start= end= xfer=* | stats count as Total2]
| eval Difference=Total1 - Total2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jephillips
Explorer
02-06-2019
06:49 AM
That did it! Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-08-2019
08:42 AM
Be sure to click Accept to close the question and help others find working answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
02-06-2019
10:15 PM
@jephillips
Great 🙂
Please accept the answer to close the thread.
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
