https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378383#M110913 <P>@reverse try the following run anywhere example which prepares data similar to your question. from <CODE>|makeresults</CODE> till <CODE>| fields - data count</CODE></P> <PRE><CODE>| makeresults | eval data="Jan-1 100 60 87 78 86 545 53 509 56 545 656;Jan-2 110 60 87 78 86 545 53 509 56 545 656;Jan-3 111 60 87 78 86 545 53 509 56 545 655;Jan-4 112 60 89 78 86 545 53 509 56 545 656" | makemv data delim=";" | stats count by data | makemv data delim=" " | eval date=mvindex(data,0), field1=mvindex(data,1), field2=mvindex(data,2), field3=mvindex(data,3), field4=mvindex(data,4), field5=mvindex(data,5), field6=mvindex(data,6), field7=mvindex(data,7), field8=mvindex(data,8), field9=mvindex(data,9), field10=mvindex(data,10) | fields - data count | fields - date | stats first(*) as first* last(*) as last* | foreach first* [| eval diff_&lt;&lt;MATCHSTR&gt;&gt;=first&lt;&lt;MATCHSTR&gt;&gt;-last&lt;&lt;MATCHSTR&gt;&gt;] | fields diff_* </CODE></PRE> <P>Then the remaining command calculate difference as per your requirement. Since you have not provided field names I have cooked up all of it as field1, field2 etc.</P> Sat, 18 May 2019 16:57:20 GMT niketn 2019-05-18T16:57:20Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378377#M110907 <PRE><CODE>Jan-1 100 60 87 78 86 545 53 509 56 545 656 Jan2 110 60 87 78 86 545 53 509 56 545 656 Jan-3 111 60 87 78 86 545 53 509 56 545 655 Jan-4 112 60 89 78 86 545 53 509 56 545 656 </CODE></PRE> <P><STRONG><CODE>diff 2 0 2 0 ....</CODE></STRONG><BR /> I have to compute "always" the difference between last row and first row ( diff)<BR /> How can I achieve this ?<BR /> Thanks</P> Sat, 18 May 2019 00:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378377#M110907 reverse 2019-05-18T00:35:28Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378378#M110908 <P>results would be dynamic.. first column</P> Sat, 18 May 2019 02:08:44 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378378#M110908 reverse 2019-05-18T02:08:44Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378379#M110909 <P>@reverse please add more details to your problem. For the data provided what is the output you need?</P> Sat, 18 May 2019 14:07:20 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378379#M110909 niketn 2019-05-18T14:07:20Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378380#M110910 <P>diff is the output</P> Sat, 18 May 2019 14:28:51 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378380#M110910 reverse 2019-05-18T14:28:51Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378381#M110911 <P>@reverse the number of rows is it fixed or can it vary? Also once you have the difference do you want to output only the difference?</P> Sat, 18 May 2019 16:46:08 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378381#M110911 niketn 2019-05-18T16:46:08Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378382#M110912 <P>Rows will vary as per timepicker range .. last 7 days 30 days .. so on .. columns are fixed though</P> Sat, 18 May 2019 16:48:49 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378382#M110912 reverse 2019-05-18T16:48:49Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378383#M110913 <P>@reverse try the following run anywhere example which prepares data similar to your question. from <CODE>|makeresults</CODE> till <CODE>| fields - data count</CODE></P> <PRE><CODE>| makeresults | eval data="Jan-1 100 60 87 78 86 545 53 509 56 545 656;Jan-2 110 60 87 78 86 545 53 509 56 545 656;Jan-3 111 60 87 78 86 545 53 509 56 545 655;Jan-4 112 60 89 78 86 545 53 509 56 545 656" | makemv data delim=";" | stats count by data | makemv data delim=" " | eval date=mvindex(data,0), field1=mvindex(data,1), field2=mvindex(data,2), field3=mvindex(data,3), field4=mvindex(data,4), field5=mvindex(data,5), field6=mvindex(data,6), field7=mvindex(data,7), field8=mvindex(data,8), field9=mvindex(data,9), field10=mvindex(data,10) | fields - data count | fields - date | stats first(*) as first* last(*) as last* | foreach first* [| eval diff_&lt;&lt;MATCHSTR&gt;&gt;=first&lt;&lt;MATCHSTR&gt;&gt;-last&lt;&lt;MATCHSTR&gt;&gt;] | fields diff_* </CODE></PRE> <P>Then the remaining command calculate difference as per your requirement. Since you have not provided field names I have cooked up all of it as field1, field2 etc.</P> Sat, 18 May 2019 16:57:20 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378383#M110913 niketn 2019-05-18T16:57:20Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378384#M110914 <P>it worked.. thanks! how can i show <STRONG>only</STRONG> that data where <EM>diff was maximum</EM>... like top 2.. I know it is complex</P> Sat, 18 May 2019 17:06:19 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378384#M110914 reverse 2019-05-18T17:06:19Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378385#M110915 <P>how can i show only that data where diff was maximum... like top 2..</P> Sun, 19 May 2019 03:15:02 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378385#M110915 reverse 2019-05-19T03:15:02Z https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378386#M110916 <P>@reverse try appending the following to your existing search.</P> <PRE><CODE>| transpose 0 column_name=difference | sort 0 - "row 1" | head 2 | transpose header_field=difference | fields diff_* </CODE></PRE> Sun, 19 May 2019 17:25:24 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-rows-of-query-result/m-p/378386#M110916 niketn 2019-05-19T17:25:24Z