Splunk Search

How to display the difference between the results from two different searches?

thewho123
Explorer

I display two different graphs by using the following strings.

"Sending" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes sent"

"Receiving" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes received"

I can display both in the same graph by:

"Sending" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes sent" | appendcols [search "Receiving" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart  span=1day avg(gigabytes) AS "Gigabytes received"]

This gives me two lines (each has a value for one day for the past 7 days).

How do I display the difference between gigabytes sent and received? I want to display Gigabytes sent - gigabytes received for each day for the past 7 days.

0 Karma
1 Solution

sundareshr
Legend

Try this

"Sending" OR "Receiving" earliest=-7days | rex  "(?<action>Sending|Receiving)" | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) as gb by action | eval diff=Sending-Receiving

View solution in original post

sundareshr
Legend

Try this

"Sending" OR "Receiving" earliest=-7days | rex  "(?<action>Sending|Receiving)" | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) as gb by action | eval diff=Sending-Receiving

thewho123
Explorer

Is the syntax correct? I get null for y-axis description.

Also avg bytes from sending and receiving should be separate. Wouldn't this combine all of them together ?

0 Karma

sundareshr
Legend

Do you not see columns for Sending and Receiving? The avg(gb) will be calculated separately for each action. If NULL is the third column, you could add usenull=f to the timechart command. You search would look like this

index=myIndex sourcetype=mySourcetype "Sending" OR "Receiving" earliest=-7d@d | rex  "(?<action>Sending|Receiving)" | eval gigabytes=((bytes/1024)/1024) | timechart usenull=f span=1day avg(gigabytes) as gb by action | eval diff=Sending-Receiving
0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...