- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to find difference between two "stats coun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i have two saved search queries
1. sourcetype="x" "attempted" source="y" | stats count
2. sourcetype="x" "Failed" source="y" | stats count
i need to create a search query which will calculate
Passed item = (sourcetype="x" "attempted" source="y" | stats count) - (sourcetype="x" "Failed" source="y" | stats count)
and display Passed item count by hours
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="x" source="x.log" ("consolidation succeeded" OR "conversion failed") | stats count(eval(searchmatch("consolidation succeeded"))) as attempts count(eval(searchmatch("xconversion failed"))) as failures | eval successes=attempts-failures
this one worked for me...
Thanks for all the supports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="x" source="x.log" ("consolidation succeeded" OR "conversion failed") | stats count(eval(searchmatch("consolidation succeeded"))) as attempts count(eval(searchmatch("xconversion failed"))) as failures | eval successes=attempts-failures
this one worked for me...
Thanks for all the supports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
("SSO Initiated" OR "SSO Completed") | stats count(eval(searchmatch("SSO Initiated"))) as SSO_Initiated count(eval(searchmatch("SSO Completed"))) as SSO_Completed | eval Difference=SSO_Initiated-SSO_Completed
I want to create alert if Difference > 0, then mail needs to be sent. This check should keep happening every 15 minute and check in last 15 minute if Difference > 0, then trigger mail.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
give this a shot:
sourcetype="x" | stats count(eval(searchmatch("attempted"))) AS numattempts count(eval(searchmatch("Failed"))) AS numfails | eval diff=numattempts-numfails
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
