- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Splunk 4.2.3 build 105575
I have a search which I use to compare the current status of a system (1 hr window) to the status as at 1 week ago -
connect earliest=-1w@h latest=-1w@h+1h | stats count as pw |
append [ search connect earliest=-1h latest=now | stats count as cur] | eval diff = pw -cur
I get the values for pw & cur just fine, I just can't seem to perform any calculations on them.
Is there any way to have eval (or another command) operate on the results of the main search & the sub-search?
Or is there a way to have one search cover multiple time ranges?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try renaming the field as query (this will keep your current cur and should give you the stats you need)
connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | eval cur= [search connect earliest=-1h latest=now | stats count as cur|rename cur as query] | eval diff = pw -cur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try renaming the field as query (this will keep your current cur and should give you the stats you need)
connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | eval cur= [search connect earliest=-1h latest=now | stats count as cur|rename cur as query] | eval diff = pw -cur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, exactly what I was looking for.
Thanks much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure you can. You can do the subsearch as an eval like so
| eval lasthour = [ search connect earliest=-1h latest=now | stats count as cur | rename as search]
This will keep the last hour as lasthour and you can then perform stats as you wish. The rename to search allows splunk to understand the returned data and save it within the lasthour field. Also a great use for this is to create percentage (ratio) values to compare current data to historical data.
EDIT:
Here is a link to more detail;
http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahhhhhhh.
Now I get it. Thanks much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My example assumes you are running the stats command. If you add your stats in then it will store the value of the returned count, if you just do a search you can't just pull back X number of values into one field like that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tested your suggestion like so -
search connect | eval lasthour = [ search connect earliest=-1h latest=now ]
Returns this error -
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
