Solved: how to find difference between two "stats count" u...

snabi · ‎08-15-2013

So i have two saved search queries
1. sourcetype="x" "attempted" source="y" | stats count
2. sourcetype="x" "Failed" source="y" | stats count

i need to create a search query which will calculate

Passed item = (sourcetype="x" "attempted" source="y" | stats count) - (sourcetype="x" "Failed" source="y" | stats count)

and display Passed item count by hours

snabi · ‎08-26-2013

sourcetype="x" source="x.log" ("consolidation succeeded" OR "conversion failed") | stats count(eval(searchmatch("consolidation succeeded"))) as attempts count(eval(searchmatch("xconversion failed"))) as failures | eval successes=attempts-failures

this one worked for me...
Thanks for all the supports

View solution in original post

snabi · ‎08-26-2013

sourcetype="x" source="x.log" ("consolidation succeeded" OR "conversion failed") | stats count(eval(searchmatch("consolidation succeeded"))) as attempts count(eval(searchmatch("xconversion failed"))) as failures | eval successes=attempts-failures

this one worked for me...
Thanks for all the supports

icenitesh · ‎01-11-2021

("SSO Initiated" OR "SSO Completed") | stats count(eval(searchmatch("SSO Initiated"))) as SSO_Initiated count(eval(searchmatch("SSO Completed"))) as SSO_Completed | eval Difference=SSO_Initiated-SSO_Completed

I want to create alert if Difference > 0, then mail needs to be sent. This check should keep happening every 15 minute and check in last 15 minute if Difference > 0, then trigger mail.

starcher · ‎08-16-2013

give this a shot:
sourcetype="x" | stats count(eval(searchmatch("attempted"))) AS numattempts count(eval(searchmatch("Failed"))) AS numfails | eval diff=numattempts-numfails

how to find difference between two "stats count" used in two different saved search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!