Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to find difference between two "stats count" used in two different saved search

snabi
Explorer
‎08-15-2013 11:46 AM

So i have two saved search queries
1. sourcetype="x" "attempted" source="y" | stats count
2. sourcetype="x" "Failed" source="y" | stats count

i need to create a search query which will calculate

Passed item = (sourcetype="x" "attempted" source="y" | stats count) - (sourcetype="x" "Failed" source="y" | stats count)

and display Passed item count by hours

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎08-15-2013 12:06 PM

sourcetype="x" source="y" (attempted OR failed) | eval isAttempted=if(searchmatch("attempted"),1,0) | eval isFailed=if(searchmatch("failed"),1,0) | stats sum(isAttempted) as attempts sum(isFailed) as failures | eval successes=attempts-failures

However I would examine the matching events for the "attempted" and "failed" searches very carefully to maked sure there aren't any false positives or negatives. Possibly this is already a boiled-down example. Note that you can have very complex boolean logic in the (attempted OR failed) side, and you can have the correspondingly complex boolean logic embedded into the searchmatch() functions so you'll be fine even if your actual case is more complex.

UPDATE:

If using eval syntax right in the stats command is more your style, that can be done too and it becomes a lot more compact:

sourcetype="x" source="y" (attempted OR failed) | stats count(eval(searchmatch("attempted"))) as attempts count(eval(searchmatch("failed"))) as failures | eval successes=attempts-failures

Reply

lukejadamec
Super Champion
‎08-15-2013 11:59 AM

It looks like you're trying to subtract apples from oranges, which cannot even be done on paper let alone splunk.
If you're trying to remove a subset of a set and the remaining items by hours, then you don't want to use stat counts. Just use a search that excludes them like this:
sourcetype="x" source="y" "attempted" | search NOT (sourcetype="x" source="y" "Failed") | stats count by _time,passeditem

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...