Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you subtract values from an appended se...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jephillips
Explorer
02-06-2019
06:13 AM
I'm trying to run the below searches and get the subtracted value from them. However, the eval command is not giving me a new Difference field. I just get the results of the separate searches.
index=a sourcetype=test start=* end=* | eventstats count as Total1
| append [search index=a sourcetype=test start=* end=* xfer=* | eventstats count as Total2]
| eval Difference=Total1 - Total2
I'd like a chart that with a row for all three values.
Total1 Total2 Difference
10 8 2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
02-06-2019
06:46 AM
Hello @jephillips ,
Try this:
index=a sourcetype=test start= end= | stats count as Total1
| appendcols [search index=a sourcetype=test start= end= xfer=* | stats count as Total2]
| eval Difference=Total1 - Total2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
02-06-2019
06:51 AM
You can try the below search-
index=a sourcetype=test start= end= | stats count as Total1
| appendcols [search index=a sourcetype=test start= end= xfer=* | stats count as Total2]
| eval Difference=Total1 - Total2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
02-06-2019
06:46 AM
Hello @jephillips ,
Try this:
index=a sourcetype=test start= end= | stats count as Total1
| appendcols [search index=a sourcetype=test start= end= xfer=* | stats count as Total2]
| eval Difference=Total1 - Total2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jephillips
Explorer
02-06-2019
06:49 AM
That did it! Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-08-2019
08:42 AM
Be sure to click Accept to close the question and help others find working answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
02-06-2019
10:15 PM
@jephillips
Great 🙂
Please accept the answer to close the thread.
Get Updates on the Splunk Community!
New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...
The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...
Improve Data Pipelines Using Splunk Data Management
Register Now
This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
Register
Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...
