Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Graph the difference between the totals of 2 search calculations

GClef
New Member
‎02-29-2024 12:47 PM

Dear SPLUNKos

I need to create a time chart as per the below
Run one “grand total” search
Run second search which is a dedup of the first search.
Subtract the difference and timechart only the difference.

I have got to the point below which gives me a table of data but I cannot get this to chart : Mr SPLUNK in my organisation tells me this cannot be done which is  borne out by the documentation on the timechart command which indicates it can only reference field data not calculated data . Is there a way?

<SEARCH-GRANDTOTAL> | stats count as Grandtotal
|  appendcols [ <SEARCH-2> | stats count as TotalDeDup ]
|  eval diff= Grandtotal - TotalDeDup
Labels (1)
Labels
0 Karma
Reply

GClef
New Member
‎02-29-2024 03:20 PM

Thanks, I would appreciate it  if you stepped back from this : I will see if anyone else in the community has an idea / understands what I am saying 🙂  Have a great day Rick

0 Karma
Reply

GClef
New Member
‎02-29-2024 03:06 PM

I do not believe you need to know about the specifics of the search .. I have 2 searches returning numerical values as per the stats command this could be any search on any data, I am subtracting one from the other and want to graph that value against time. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:14 PM

Ok, have it your way - don't give more details. Have two values and chart them across time. What do you want to chart? The same value through whole time period? Be my guest. It makes no sense but you apparently know better. But then again - why asking for help in the first place?

0 Karma
Reply

GClef
New Member
‎02-29-2024 02:27 PM

Timechart the difference against time...  The specific use case is in itself around logging I have a third party SaaS provider send logs to our GCP SPLUNK over the internet, issue is they are intermittently and significantly duplicating individual log entries due to something in the way they are forwarding so I want to chart this to have an artefact I can point at for analysis.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:02 PM

But your search shows just two data points. Without more details on your data it's impossible to help you.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 02:17 PM

What would you want to timechart here as you have only two values? This makes no sense.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...