Having said all these, let me up-vote both of your comments to get you on same page to keep assisting folks in need. Refer to the Voting etiquette docs for Splunk Answers Community participation. Unlike other online forums, Splunk Answers thrives on positive sentiments hence down-voting is rarely used by community members unless the suggested solution is detrimental/irreversible for Splunk stack. However, the best solution approach is by which tried to avoid subsearch completely and would perform better as well with map-reduce commands. Which means his comment can not be accepted as Answer, but your's can.
Also Kamlesh has posted his answer as a comment for to try and confirm. If you notice closely approach is different than yours. We do tend to give hints/ performance optimization tips rather than spoon feeding solutions. Could you please help around difference calculation part and fillnull trust me on Splunk Answers every community contributor's prime focus is the support for the poster. |eval DiffValue= CurrentCount - OldCount |table servicename,OldCount,CurrentCount,DiffValue| search Diffvalue!=0ĭon't want to change whole lot in the query as the table output is 1000 rows and outer join works fine. Index=* myquery earliest=-15m latest=now |stats count as CurrentCount by servicename|join type=outer servicename Table 2 (time - previous time with timerange)Ĭcc 4 4 0 (added just for understanding, not expected in the actual output, as I've added delta!=0 in my query at the end)Ĭurrent output with my query (Outer Join works fine but I can't see the difference value, which is the actual requirement) -Īaa 2 (null value is coming, and delta value is coming as null as well)Ĭcc 4 4 0 (Coming up in search, even though it should not!) I require a table containing count of specific service compared between 2 time ranges.
0 kommentar(er)
