Splunk Search
Highlighted

How to search the difference between two values that share the same field name from two different sourcetypes?

New Member

I'm trying to get the difference between two values that share the same field name from two different sourcetypes that contain a field indicating a request has been completed.

A.

sourcetype=one AND event="FINISH" (the field that i'm interested in here would be responseTime)

B.

sourcetype=two AND event="COMPLETE" (again, looking for responseTime)

How do I plot the difference between responseTime A and responseTime B?

0 Karma
Highlighted

Re: How to search the difference between two values that share the same field name from two different sourcetypes?

SplunkTrust
SplunkTrust

Hi jp28,

take this run everywhere example and get an idea how this can be done:
First I'm searching on two indexes

index=_internal OR index=_audit 

bucket a time range

| bin _time span=1min 

use evals to get different values from different source types

| stats max(eval(if(sourcetype=="splunkd", kbps, null()))) AS splunkd_value values(eval(if(sourcetype=="audittrail", date_hour, null()))) AS audittrail_value by _time 

and finally graph them as a time chart with a difference line

| eval diff=audittrail_value-splunkd_value 
| timechart span=10min max(diff) AS diff max(audittrial_value) AS audit max(splunkd_value) AS plunked

So the complete search is this:

index=_internal OR index=_audit 
| bin _time span=1min 
| stats max(eval(if(sourcetype=="splunkd", kbps, null()))) AS splunkd_value values(eval(if(sourcetype=="audittrail", date_hour, null()))) AS audittrail_value by _time 
| eval diff=audittrail_value-splunkd_value 
| timechart span=10min max(diff) AS diff max(audittrial_value) AS audit max(splunkd_value) AS splunkd

Hope this helps to get you started ...

cheers, MuS