How to 2 spunk search into one result and substrac...

archonixm · ‎10-31-2018

index=oswindows sourcetype="winhost" host=npe OR host=npw source=service earliest="-30d@d" latest="@d DisplayName="Vontu Monitor"
| transaction DisplayName !(startswith="State=Stopped" endswith="State=Running")
| stats sum(duration) as abc1 by host,DisplayName

index=oswindows sourcetype="winhost" host=npe OR host=npw source=service earliest="-30d@d" latest="@d" DisplayName="Vontu Monitor"
| transaction DisplayName startswith="State=Stopped" endswith="State=Running"
| stats sum(duration) as abc2 by host, DisplayName

What I want is to substract the first sum of value by host for first search with second search. Please help me. I tried append and appendcols but it doesn't display the second search result.

kmorris_splunk · ‎10-31-2018

This is a simple example, but give something like this a try:

sourcetype=access_combined action=addtocart 
| stats sum(bytes) as bytes_atc by clientip 
| appendcols 
    [ search sourcetype=access_combined action=purchase 
    | stats sum(bytes) as bytes_purch by clientip] 
| eval sum_all=bytes_atc + bytes_purch

richgalloway · ‎10-31-2018

The two searches are identical except for the as clause so the result will always be zero.
Perhaps you meant to paste a different second search?

---
If this reply helps you, Karma would be appreciated.

archonixm · ‎10-31-2018

one with ! in it...in the transaction command...

How to 2 spunk search into one result and substract the sum value of 1 search to another search and display it?

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel