Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run operations on values from a main search and sub search?

kaphie2002
New Member
‎02-15-2018 10:33 AM

I have a log file that shows the number of jobs that have been started by an application and the jobs that have been completed. I am trying to determine the jobs that are still running ("Jobs Started" - "Job completed"). I have tried the query below but it is not working:

$Request$ host="host*" Job complete | stats count as var1 | Append [ search $Request$ host="host*" Processing Job | stats count  as var2] |eval diff=var1-var2 | table diff

Does anyone have ideas on how to accomplish this?

Thanks
Kafayat

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-15-2018 11:52 AM

I suspect that the subsearch is timing out if you're running it like that - that is to say, without specifying the index and sourcetype. It is enormously inefficient to run a search without specifying index and sourcetype. But maybe $Request$actually contains those; I obviously don't know. So step 1: ensure you are specifying index and sourcetype.

But step two will be to combine the two searches, especially since they both will be searching the same log. Here's a good way to combine them:

index=something sourcetype=whatever $Request$ host="host*" "Job complete" OR "Processing Job"
| stats count(eval(like(_raw, "%Job complete%"))) AS completed_count count(eval(like(_raw, "%Processing Job%"))) AS processing_count
| eval diff=completed_count - processing_count 
| table diff

If the values "Job complete" and "Processing Job" are actually extracted out into a field at search time, you could make this even more efficient by replacing _raw in the stats line with the name of the field that contains those values.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-15-2018 11:52 AM

I suspect that the subsearch is timing out if you're running it like that - that is to say, without specifying the index and sourcetype. It is enormously inefficient to run a search without specifying index and sourcetype. But maybe $Request$actually contains those; I obviously don't know. So step 1: ensure you are specifying index and sourcetype.

But step two will be to combine the two searches, especially since they both will be searching the same log. Here's a good way to combine them:

index=something sourcetype=whatever $Request$ host="host*" "Job complete" OR "Processing Job"
| stats count(eval(like(_raw, "%Job complete%"))) AS completed_count count(eval(like(_raw, "%Processing Job%"))) AS processing_count
| eval diff=completed_count - processing_count 
| table diff

If the values "Job complete" and "Processing Job" are actually extracted out into a field at search time, you could make this even more efficient by replacing _raw in the stats line with the name of the field that contains those values.

0 Karma
Reply
Solved! Jump to solution

kaphie2002
New Member
‎02-20-2018 11:42 AM

This worked flawlessly! Thank You

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...