Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two timechart query that extract the difference ?

Maickeen
Engager
‎03-22-2022 08:13 AM

Query 1:

(index=iks) "Procces started" | timechart count span=1d

Query 2: 

(index=iks) "Procces finished" | timechart count span=1d

 

I want to display the result of Query 1 - Query 2 for each day

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-22-2022 08:22 AM

Try like this

(index=iks) "Procces started" OR "Procces finished" 
| eval type=if(searchmatch("Procces started"),"Process_Started","Process_Finished")
| timechart count span=1d by type
| eval differenc=Process_Started-Process_Finished

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-22-2022 08:22 AM

Try like this

(index=iks) "Procces started" OR "Procces finished" 
| eval type=if(searchmatch("Procces started"),"Process_Started","Process_Finished")
| timechart count span=1d by type
| eval differenc=Process_Started-Process_Finished
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...