I'm trying to find proper Splunk documentation about the following, but it seems pretty difficult. What I need to do is conceptually simple: I want to find out the number of certain events for two successive days and subtract them (simply subtract the numbers). For example, I need to find out the number of successful POST calls (HTTP 200) to a certain website ('somewebsite/myaction'), c1, that happened 2 days ago:
search sourcetype = myproject:prod somewebsite post myaction 200
earliest=-2d@d latest=-1d@d | stats count as c1
Also, I do the same to find out the same type of events for yesterday, let's call it c2:
search sourcetype = myproject:prod somewebsite post myaction 200
earliest=-1d@d latest=-0d@d | stats count as c2
Now all I need to do is find out c1 - c2 and trigger an event if this value is above a certain threshold. I'm trying something like this, but it doesn't show me 't':
| set diff [search sourcetype = myproject:prod somewebsite post
myaction 200 earliest=-2d@d latest=-1d@d | stats count as c1] [search
sourcetype = myproject:prod somewebsite post myaction 200
earliest=-1d@d latest=-0d@d | stats count as c2] | eval t=(c1-c2)
Thanks,
Greetings,
Sorin
P.S.
I come very close with the following:
sourcetype=myproject:prod somewebsite post checkout 200 earliest=-2d@d latest=-1d@d
| stats count as C1 | appendcols [search sourcetype = myproject:prod somewebsite
post checkout 200 earliest=-1d@d latest=-0d@d | stats count as C2] | eval t=(C1
- C2)
Now all I need to do is to express in an alert that I want it to be triggered when t is above a threshold (e.g. t > 100). How can I do that ?
