Splunk Search

How to eval results of two searches?

Explorer

Using Splunk 4.2.3 build 105575

I have a search which I use to compare the current status of a system (1 hr window) to the status as at 1 week ago -

connect earliest=-1w@h latest=-1w@h+1h | stats count as pw |
append [ search connect earliest=-1h latest=now | stats count as cur] | eval diff = pw -cur

I get the values for pw & cur just fine, I just can't seem to perform any calculations on them.

Is there any way to have eval (or another command) operate on the results of the main search & the sub-search?

Or is there a way to have one search cover multiple time ranges?

Tags (3)
1 Solution

Splunk Employee
Splunk Employee

Try renaming the field as query (this will keep your current cur and should give you the stats you need)

connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | eval cur= [search connect earliest=-1h latest=now | stats count as cur|rename cur as query] | eval diff = pw -cur

View solution in original post

Splunk Employee
Splunk Employee

Try renaming the field as query (this will keep your current cur and should give you the stats you need)

connect earliest=-1w@h latest=-1w@h+1h | stats count as pw | eval cur= [search connect earliest=-1h latest=now | stats count as cur|rename cur as query] | eval diff = pw -cur

View solution in original post

Explorer

Perfect, exactly what I was looking for.

Thanks much!

0 Karma

Champion

sure you can. You can do the subsearch as an eval like so

| eval lasthour = [ search connect earliest=-1h latest=now | stats count as cur | rename as search]

This will keep the last hour as lasthour and you can then perform stats as you wish. The rename to search allows splunk to understand the returned data and save it within the lasthour field. Also a great use for this is to create percentage (ratio) values to compare current data to historical data.

EDIT:
Here is a link to more detail;

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

Explorer

Ahhhhhhh.

Now I get it. Thanks much!

0 Karma

Champion

My example assumes you are running the stats command. If you add your stats in then it will store the value of the returned count, if you just do a search you can't just pull back X number of values into one field like that

0 Karma

Explorer

Tested your suggestion like so -

search connect | eval lasthour = [ search connect earliest=-1h latest=now ]

Returns this error -

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

0 Karma