Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subtract the Results of one search from another search

ramkomarapu
Loves-to-Learn
‎06-30-2020 09:16 PM

Search 1 : index=index_123 (msg="*xyz*") | rex field=msg "results\":{\"(?<abc1>.*)\" *" | stats values(_time) as abc1_time, abc1

Search 1 : index=index_123 (msg="*mnop*") | rex field=msg "results\":{\"(?<abc2>.*)\" *" | stats values(_time) as abc2_time, abc_2

Scenario 1 :

Search 1 gave results : 11:30AM --- 123,  11:40AM --- 345

Search 2 gave results :11:34AM --- 123

I want to subtract ( search 1 - search 2) with time difference less than 3 minutes. so that i should get 123(time greater then 3 mins), 345(No record in search 2).

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-01-2020 05:49 PM

Here's an example using streamstats, where a single search is done and the data segregated on what might be your conditions, but hopefully it will help show you a way to achieve what you are trying to do - I expect there is more detail that is needed to solve your question, but see this

| makeresults 
| eval data=split("xyz-123;11:30,xyz-345;11:40,mnop-123;11:34,xyz-678;11:45,mnop-678;11:47",",")
| mvexpand data
| rex field=data "(?<msg>[\w-]+);(?<time>\d+:\d+)"
| fields - data
| eval _time=strptime(time,"%H:%M")
| search (msg="*xyz*" OR msg="*mnop*") 
| eval type=case(match(msg,"xyz"),1,match(msg,"mnop"),2)
| rex field=msg "\w+-(?<id>\d+)"
| streamstats count range(_time) as gap by id
| eventstats dc(type) as types by id
| where ((types=2 AND gap>180) OR (type=1 AND types=1))

It gives your example pair as well as another id 678, where the gap is 2 minutes, so it is ignored. 

Hope this helps

 

0 Karma
Reply

pduvofmr
Path Finder
‎07-01-2020 05:36 AM

Hi,

use strptime to convert both time values and push it into two variables.
Then you can subtract these two variables with eval...

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-30-2020 11:26 PM

@ramkomarapu Can you please share sample events ? 

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...