Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Substracting chart contents over a range

asarolkar
Builder
‎01-03-2013 05:42 PM

I have a question about constants and timechart/chart/stats

I have a search like this

sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | stats count by range

I need to be able to add a | append such that i can print the difference.

Difference = 100 - "in" - "out"

Any ideas on how stats works in the context of deducting two values gathered over time from a constant and displaying it on the exact same time chart ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎01-04-2013 12:47 AM

well, this should work. Create three counts (c, IN and OUT) in the stats function, and just eval the difference from the constant after the stats.

sourcetype=syslog |... 
| eval range = if(date_hour >= 3 OR date_hour <= 4, "in", "out") 
| stats c c(eval(range="in")) as IN c(eval(range="out")) as OUT 
| eval Difference = 100 - c

/K

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎01-04-2013 12:47 AM

well, this should work. Create three counts (c, IN and OUT) in the stats function, and just eval the difference from the constant after the stats.

sourcetype=syslog |... 
| eval range = if(date_hour >= 3 OR date_hour <= 4, "in", "out") 
| stats c c(eval(range="in")) as IN c(eval(range="out")) as OUT 
| eval Difference = 100 - c

/K

0 Karma
Reply
Solved! Jump to solution

asarolkar
Builder
‎01-04-2013 10:30 AM

Hi, What if its not a constant like 100.

What if its read from a an inputlookup like so

| inputlookup constantTable | where OrgId=100 | field CONSTANT

CONSTANT = 100

How do I incorporate an appendpipe into this without losing "in" and "out" ?

Any help would be appreciated.

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎01-04-2013 03:31 AM

And for timechart / chart its as simple as

    sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | timechart count by range | eval Difference=100-in-out
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...