Splunk Search

I want to find the difference in count of processes from last 2 months

shreyasathavale
Communicator

My 1st search:
earliest=-2mon@mon latest=-1mon@mon index=linux (host=abc OR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value1

My 2nd search:
earliest=-1mon@mon latest=@mon index=linux (host=abcOR host=xyz) COMMAND=LMN|dedup host,PID|stats count(PID) AS Value2

I want to find Value1-Value2 or difference in count .. When I ran individual searches i got the count as 1441 and 1347 but when i used append the 2nd count reduced to 925 instead of 1347, same happens for join..
How can i find exact difference in counts?

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

View solution in original post

0 Karma

tiagofbmm
Influencer

I think you could simplify things here with one search:

earliest=-2mon@mon latest=@mon
index=linux (host=abc OR host=xyz) COMMAND=LMN
| chart dc(PID) AS Value1 over host by date_mday

Then use eval to do the difference between the months you want

0 Karma

shreyasathavale
Communicator

I added | eval Month=strftime(_time,"%m %b %Y") to the command and it worked.. Thanks!!

0 Karma

tiagofbmm
Influencer

Sorry, I meant date_month and not date_mday, so you could use:

 earliest=-2mon@mon latest=@mon
 index=linux (host=abc OR host=xyz) COMMAND=LMN
 | chart dc(PID) AS Value1 over host by date_month

shreyasathavale
Communicator

Can you help me out with eval command for difference in these 2 months values?
My result looks like:

Month Values
01-Jan-2018 1447
02-Feb-2018 1345

I want to calculate difference of 1447-1345

0 Karma

tiagofbmm
Influencer

Try the delta command:

| makeresults 
| eval A=10 
| append 
    [| makeresults 
    | eval A=20 ] 
| delta A

Don't forget to upvote useful comments

0 Karma

shreyasathavale
Communicator

This search took too much time to run and finally it gave me 2 values by host and not by Month 😞

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...