Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't results can be shown when calculating the difference between two columns from two searches?

asdusert
Engager
‎10-13-2018 07:58 PM

Here is my query :

index="basicdataapi" source="/data/api-process/logs/equitydata-rawdata-producer/application.log" 
service_name="equitydata-rawdata-producer"
 host="daasynprdbd6012" CountFlag="true" PackageDataType |stats count by PackageDataType | append[search  
 index=datasvc source="us-east-1:/aws/lambda/ged-equitydata-rawdata-consumer*" 
 service_name="equitydata-rawdata-consumer" CountFlag="true" 
 PackageDataType |stats count by PackageDataType ]|**table DataPackageType num |streamstats max(num) as max min(num) as min by PackageDataType | eval diff=max-min | dedup DataPackageType | table DataPackageType max min diff.

When I run the above query which have been marked as "Strong" font, I can get a result like this:
PackageDataType num
CO 319
SO 420
CO 319
SO 420

But I want to count the difference between same "PackageDataType", like below format:
PackageDataType max min diff
CO 319 319 0
SO 420 420 0

So I added "streamstats.." to count it . But after I added it , no result can be shown. Is there anything wrong ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-13-2018 09:39 PM

@asdusert,

From your search, there are possibly two things you might need to change to get the desired result

  1. In your original search you are using field name PackageDataType but in the table command next to it, you are using DataPackageType which are different field names for splunk and that's the reason you are not getting the result.

  2. streamstats gives you streaming max or min. ie.when the streamstats look at the first event, it only knows CO 319 and hence it would result 319 as max and min for CO even though the second CO has a different count say 219. You may test it by running

    index=_*|stats count by sourcetype ,index|fields - sourcetype|streamstats max(count) as max,min(count) as min by index

So try stats or eventstats for the final calculation.

index="basicdataapi" source="/data/api-process/logs/equitydata-rawdata-producer/application.log" 
service_name="equitydata-rawdata-producer"
host="daasynprdbd6012" CountFlag="true" PackageDataType |stats count by PackageDataType 
| append[search index=datasvc source="us-east-1:/aws/lambda/ged-equitydata-rawdata-consumer*" 
service_name="equitydata-rawdata-consumer" CountFlag="true" 
|stats count by PackageDataType ]
|stats max(num) as max min(num) as min by PackageDataType | eval diff=max-min

To your original search, just add 

 |stats max(num) as max min(num) as min by PackageDataType | eval diff=max-min
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-13-2018 09:39 PM

@asdusert,

From your search, there are possibly two things you might need to change to get the desired result

  1. In your original search you are using field name PackageDataType but in the table command next to it, you are using DataPackageType which are different field names for splunk and that's the reason you are not getting the result.

  2. streamstats gives you streaming max or min. ie.when the streamstats look at the first event, it only knows CO 319 and hence it would result 319 as max and min for CO even though the second CO has a different count say 219. You may test it by running

    index=_*|stats count by sourcetype ,index|fields - sourcetype|streamstats max(count) as max,min(count) as min by index

So try stats or eventstats for the final calculation.

index="basicdataapi" source="/data/api-process/logs/equitydata-rawdata-producer/application.log" 
service_name="equitydata-rawdata-producer"
host="daasynprdbd6012" CountFlag="true" PackageDataType |stats count by PackageDataType 
| append[search index=datasvc source="us-east-1:/aws/lambda/ged-equitydata-rawdata-consumer*" 
service_name="equitydata-rawdata-consumer" CountFlag="true" 
|stats count by PackageDataType ]
|stats max(num) as max min(num) as min by PackageDataType | eval diff=max-min

To your original search, just add 

 |stats max(num) as max min(num) as min by PackageDataType | eval diff=max-min
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

asdusert
Engager
‎10-14-2018 02:40 AM

@renjith.nair Thanks so much . it works.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-14-2018 04:40 AM

@asdusert, glad that it worked. Kindly accept it as answer to close this thread. Thanks

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...