Subtract the Results of one search from another se...

ramkomarapu · ‎06-30-2020

Search 1 : index=index_123 (msg="*xyz*") | rex field=msg "results\":{\"(?<abc1>.*)\" *" | stats values(_time) as abc1_time, abc1

Search 1 : index=index_123 (msg="*mnop*") | rex field=msg "results\":{\"(?<abc2>.*)\" *" | stats values(_time) as abc2_time, abc_2

Scenario 1 :

Search 1 gave results : 11:30AM --- 123, 11:40AM --- 345

Search 2 gave results :11:34AM --- 123

I want to subtract ( search 1 - search 2) with time difference less than 3 minutes. so that i should get 123(time greater then 3 mins), 345(No record in search 2).

bowesmana · ‎07-01-2020

Here's an example using streamstats, where a single search is done and the data segregated on what might be your conditions, but hopefully it will help show you a way to achieve what you are trying to do - I expect there is more detail that is needed to solve your question, but see this

| makeresults 
| eval data=split("xyz-123;11:30,xyz-345;11:40,mnop-123;11:34,xyz-678;11:45,mnop-678;11:47",",")
| mvexpand data
| rex field=data "(?<msg>[\w-]+);(?<time>\d+:\d+)"
| fields - data
| eval _time=strptime(time,"%H:%M")
| search (msg="*xyz*" OR msg="*mnop*") 
| eval type=case(match(msg,"xyz"),1,match(msg,"mnop"),2)
| rex field=msg "\w+-(?<id>\d+)"
| streamstats count range(_time) as gap by id
| eventstats dc(type) as types by id
| where ((types=2 AND gap>180) OR (type=1 AND types=1))

It gives your example pair as well as another id 678, where the gap is 2 minutes, so it is ignored.

Hope this helps

pduvofmr · ‎07-01-2020

Hi,

use strptime to convert both time values and push it into two variables.
Then you can subtract these two variables with eval...

kamlesh_vaghela · ‎06-30-2020

@ramkomarapu Can you please share sample events ?

Subtract the Results of one search from another search

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!