Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add the result of 2 calculations in 2 searches?

citizencrane
New Member
‎04-16-2016 06:35 PM

I have 2 searches which from the log I calculate a difference of a number at the current time and the beginning of the day. I'd like to take the difference calculated across 2 of the hosts and add them together which would provide a total across 2 hosts.

This is what I'm using to calculate across 1 host:

index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" | regex host="host_7" | stats earliest(DequeueCount) AS pEarliest7 latest(DequeueCount) AS pCurrent7 by mbean_property_destinationName | eval MsgsToday7=pCurrent7-pEarliest7

2nd host would be identical except a different host name. 

index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" | regex host="host_8" | stats earliest(DequeueCount) AS pEarliest8 latest(DequeueCount) AS pCurren8t by mbean_property_destinationName | eval MsgsToday8=pCurrent8-pEarliest8

I need the outcome to be MsgsToday7+MsgsToday8=TotalMessagesToday

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-17-2016 04:49 AM

Something like this?

   index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" (host="host_7" OR host="host_8")
| stats earliest(DequeueCount) AS pEarliest latest(DequeueCount) AS pCurrent by host mbean_property_destinationName
| stats sum(pEarliest) as pEarliest sum(pCurrent) as pCurrent by mbean_property_destinationName
| eval MsgsToday=pCurrent-pEarliest

That's assuming you don't actually need a regular expression match on the host field... if you do, pre-filter with a wildcard match for performance and then regex-filter with an OR'd expression to match host 7 or host 8.
The first stats calculates earliest and latest values per host and mbean, the second stats sums up values over all hosts per mbean.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-17-2016 04:49 AM

Something like this?

   index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" (host="host_7" OR host="host_8")
| stats earliest(DequeueCount) AS pEarliest latest(DequeueCount) AS pCurrent by host mbean_property_destinationName
| stats sum(pEarliest) as pEarliest sum(pCurrent) as pCurrent by mbean_property_destinationName
| eval MsgsToday=pCurrent-pEarliest

That's assuming you don't actually need a regular expression match on the host field... if you do, pre-filter with a wildcard match for performance and then regex-filter with an OR'd expression to match host 7 or host 8.
The first stats calculates earliest and latest values per host and mbean, the second stats sums up values over all hosts per mbean.

Reply
Solved! Jump to solution

citizencrane
New Member
‎04-18-2016 07:56 AM

That works, the by host is what had me thrown for a loop, Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...