Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hi, can you help me?? How can I do Three search in the same query, but the results separate for a week

DavidRojas
Engager
‎06-01-2021 10:28 AM

How can I do Three search in the same query, but the results separate for a week (the results of last 4 weeks), and the result of the three search do a operation math for a final result.

///////////////////////////

This is my query:

index="main_alarms"
| search entity_name ="*"
| dedup alarm_id, source
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats count as eventcount by _time
| rename eventcount as "TotalAlerts"
   | append [ search index="main_alarms"
   | dedup alarm_id, source
   | search entity_name ="*"
   | search alarm_rule="*"
   | where _time>relative_time(now(),"-4w@w")
   | bin _time span=1w
   | where alarm_status_desc = "Closed: False Alarm"
   | stats count as alarm_status_desc by _time
   | rename alarm_status_desc as "AlertsFalse"]
            | append [search index="main_alarms"  
            | dedup alarm_id, source
            | search entity_name ="*"
            | dedup alarm_id, source
            | search alarm_status_desc="*" alarm_rule="*" ActionStatus=*
            | where _time>relative_time(now(),"-4w@w")
            | bin _time span=1w
            | stats count as eventcount1 by _time
            | rename eventcount1 as "AlertsSmart"]
| table "TotalAlerts" "AlertsFalse" "AlertsSmart"

/////////////////////////////////////////////////////////////////////

But this is the result

DavidRojas_0-1622567463389.png

//////////////////////////////////////////

How can I get the result to be in the same row and then do the difference of the week?

| eval Diff=(("TotalAlerts")-("AlertsFalse"+"AlertsSmart"))

 

- The same index in the 3 searchs

- The last 4 weeks

- Diference =(A-(B+C))

- Chart the Columns A B C Diference

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2021 10:35 AM

Before the last table command add 

| stats values(*) as * by _time

View solution in original post

Reply
Solved! Jump to solution

DavidRojas
Engager
‎06-01-2021 12:27 PM

Thak you ITWhisperer

 

Thak you ITWhisperer

 

I Add this 3 lines in my Query, and the result successfully, thank you so much


| stats values(*) as * by _time
| eval Diff=((AlertsTotals)-(AlertsSmart+AlertsFalse))
| table AlertsTotals AlertsFalse AlertsSmart Diff

 

DavidRojas_0-1622575632190.png

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2021 10:35 AM

Before the last table command add 

| stats values(*) as * by _time
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...