Splunk Search

How to add the result of 2 calculations in 2 searches?

New Member

I have 2 searches which from the log I calculate a difference of a number at the current time and the beginning of the day. I'd like to take the difference calculated across 2 of the hosts and add them together which would provide a total across 2 hosts.

This is what I'm using to calculate across 1 host:

index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" | regex host="host_7" | stats earliest(DequeueCount) AS pEarliest7 latest(DequeueCount) AS pCurrent7 by mbean_property_destinationName | eval MsgsToday7=pCurrent7-pEarliest7

2nd host would be identical except a different host name.

index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" | regex host="host_8" | stats earliest(DequeueCount) AS pEarliest8 latest(DequeueCount) AS pCurren8t by mbean_property_destinationName | eval MsgsToday8=pCurrent8-pEarliest8

I need the outcome to be MsgsToday7+MsgsToday8=TotalMessagesToday

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Something like this?

   index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" (host="host_7" OR host="host_8")
| stats earliest(DequeueCount) AS pEarliest latest(DequeueCount) AS pCurrent by host mbean_property_destinationName
| stats sum(pEarliest) as pEarliest sum(pCurrent) as pCurrent by mbean_property_destinationName
| eval MsgsToday=pCurrent-pEarliest

That's assuming you don't actually need a regular expression match on the host field... if you do, pre-filter with a wildcard match for performance and then regex-filter with an OR'd expression to match host 7 or host 8.
The first stats calculates earliest and latest values per host and mbean, the second stats sums up values over all hosts per mbean.

View solution in original post

SplunkTrust
SplunkTrust

Something like this?

   index="ActiveMQ" sourcetype=jmx mbean_property_destinationName="my.queue.name" (host="host_7" OR host="host_8")
| stats earliest(DequeueCount) AS pEarliest latest(DequeueCount) AS pCurrent by host mbean_property_destinationName
| stats sum(pEarliest) as pEarliest sum(pCurrent) as pCurrent by mbean_property_destinationName
| eval MsgsToday=pCurrent-pEarliest

That's assuming you don't actually need a regular expression match on the host field... if you do, pre-filter with a wildcard match for performance and then regex-filter with an OR'd expression to match host 7 or host 8.
The first stats calculates earliest and latest values per host and mbean, the second stats sums up values over all hosts per mbean.

View solution in original post

New Member

That works, the by host is what had me thrown for a loop, Thanks!

0 Karma