Solved: Subtract events of two searches

Katsche · ‎10-10-2011

Hi all,

I have two searches here, which are nearly the same (5 Events more at one of them).
Is it somehow possible to Subtract the 289 events of the first search from the 294 other events of the second search?

Kind regards,
Katsche

Paolo_Prigione · ‎10-10-2011

Can the set command help you?

View solution in original post

Paolo_Prigione · ‎10-10-2011

Can the set command help you?

Katsche · ‎10-10-2011

Sadly there is not... but a new machine is already ordered. (12 CPU cores plus Hyperthreading instead of 2 cores witouht Hyperthreading and 96GB instead of 2GB RAM, that should work! xD)

Paolo_Prigione · ‎10-10-2011

ouch... I think Splunk doesn't provide a "| addRAM" command OOTB... 🙂

Katsche · ‎10-10-2011

Ok, this is the answer, but I will have to figure out something else, because there is not enough RAM on my machine to run such a strong search...

Katsche · ‎10-10-2011

Just checked the Search Reference Manual. Looks very promising. Let me run my search and I will get back to you. 🙂

Katsche · ‎10-10-2011

I'd like to now the 5 events which are more.

Subtract events of two searches

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update