Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I want to find the difference in count of processes from last 2 months

shreyasathavale
Communicator
‎03-19-2018 03:03 AM

My 1st search:
earliest=-2mon@mon latest=-1mon@mon index=linux (host=abc OR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value1

My 2nd search:
earliest=-1mon@mon latest=@mon index=linux (host=abcOR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value2

I want to find Value1-Value2 or difference in count .. When I ran individual searches i got the count as 1441 and 1347 but when i used append the 2nd count reduced to 925 instead of 1347, same happens for join..
How can i find exact difference in counts?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-19-2018 03:10 AM

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-19-2018 03:10 AM

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

0 Karma
Reply
Solved! Jump to solution

shreyasathavale
Communicator
‎03-19-2018 05:21 AM

I added | eval Month=strftime(_time,"%m %b %Y") to the command and it worked.. Thanks!!

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-19-2018 05:24 AM

Sorry, I meant date_month and not date_mday, so you could use:

 earliest=-2mon@mon latest=@mon
 index=linux (host=abc OR host=xyz) COMMAND=LMN
 | chart dc(PID) AS Value1 over host by date_month
Reply
Solved! Jump to solution

shreyasathavale
Communicator
‎03-19-2018 06:01 AM

Can you help me out with eval command for difference in these 2 months values?
My result looks like:

Month Values
01-Jan-2018 1447
02-Feb-2018 1345

I want to calculate difference of 1447-1345

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-19-2018 06:09 AM

Try the delta command:

| makeresults 
| eval A=10 
| append 
    [| makeresults 
    | eval A=20 ] 
| delta A

Don't forget to upvote useful comments

0 Karma
Reply
Solved! Jump to solution

shreyasathavale
Communicator
‎03-19-2018 04:07 AM

This search took too much time to run and finally it gave me 2 values by host and not by Month 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...