topic How to create difference of two values in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407723#M117735 <P>Q1: How can I get c4 where c4 will always be the difference of values in c3 against max of c2 - min of c2</P> <P>For example: Here c4 for A = 677-76</P> <P>Please guide.</P> <PRE><CODE>c c2 c3 A 1 76 A 2 7 A 3 6 A 4 677 B 1 65 B 2 675 B 3 90 B 4 78 C 1 121 C 2 56 C 3 54 C 4 67 D 1 56 D 2 6 D 3 5 D 4 657 </CODE></PRE> Tue, 04 Jun 2019 16:53:31 GMT reverse 2019-06-04T16:53:31Z How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407723#M117735 <P>Q1: How can I get c4 where c4 will always be the difference of values in c3 against max of c2 - min of c2</P> <P>For example: Here c4 for A = 677-76</P> <P>Please guide.</P> <PRE><CODE>c c2 c3 A 1 76 A 2 7 A 3 6 A 4 677 B 1 65 B 2 675 B 3 90 B 4 78 C 1 121 C 2 56 C 3 54 C 4 67 D 1 56 D 2 6 D 3 5 D 4 657 </CODE></PRE> Tue, 04 Jun 2019 16:53:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407723#M117735 reverse 2019-06-04T16:53:31Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407724#M117736 <P>@Vijeta please guide.</P> Tue, 04 Jun 2019 17:01:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407724#M117736 reverse 2019-06-04T17:01:46Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407725#M117737 <P>@reverse try using delta command and see if that works.</P> Tue, 04 Jun 2019 17:23:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407725#M117737 Vijeta 2019-06-04T17:23:08Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407726#M117738 <P>Could you please post an example.. dont know that command..thank you </P> Tue, 04 Jun 2019 17:30:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407726#M117738 reverse 2019-06-04T17:30:12Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407727#M117739 <P>Tried that .. it is continuing for all rows .. i want it by c1.. delta is not taking by clause </P> Tue, 04 Jun 2019 17:33:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407727#M117739 reverse 2019-06-04T17:33:58Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407728#M117740 <P>Try something like this:</P> <PRE><CODE>index="yourindex" sourcetype="yoursourcetype" | stats max(c3) as max min(c3) as min by c | eval c4=max-min </CODE></PRE> Tue, 04 Jun 2019 17:38:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407728#M117740 kmorris_splunk 2019-06-04T17:38:07Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407729#M117741 <P>@reverse ok I see you changed the question. Try below</P> <PRE><CODE>&lt;your query&gt; | stats max(c3) as max, min(c3) as min by c | eval c4=max-min </CODE></PRE> Tue, 04 Jun 2019 17:41:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407729#M117741 Vijeta 2019-06-04T17:41:22Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407730#M117742 <P>This is not producing the intended results </P> Tue, 04 Jun 2019 17:42:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407730#M117742 reverse 2019-06-04T17:42:32Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407731#M117743 <P>Please see the example </P> Tue, 04 Jun 2019 17:43:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407731#M117743 reverse 2019-06-04T17:43:41Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407732#M117744 <P>Not producing the intended result..</P> Tue, 04 Jun 2019 17:46:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407732#M117744 reverse 2019-06-04T17:46:36Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407733#M117745 <P>I need the difference of c2 against c3 values as mentioned in the example </P> Tue, 04 Jun 2019 17:48:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407733#M117745 reverse 2019-06-04T17:48:33Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407734#M117746 <P>Is this what you were looking for?</P> <PRE><CODE>index="yourindex" sourcetype="yoursourcetype" | eventstats min(c3) as min max(c3) as max by c | eval c4=max-min | table c c2 c3 c4 | sort c c2 </CODE></PRE> Tue, 04 Jun 2019 17:50:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407734#M117746 kmorris_splunk 2019-06-04T17:50:35Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407735#M117747 <P>@reverse </P> <PRE><CODE> &lt;your query&gt;| sort c c2 | stats first(c3) as first, last(c3) as last by c | eval c4=last - first </CODE></PRE> Tue, 04 Jun 2019 17:55:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407735#M117747 Vijeta 2019-06-04T17:55:51Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407736#M117748 <P>This worked but i had to add eventstats. .. was getting blank with stats</P> Tue, 04 Jun 2019 18:00:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407736#M117748 reverse 2019-06-04T18:00:47Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407737#M117749 <P>Thanks a ton @Vijeta .. Kindly help here as well..<BR /> <A href="https://answers.splunk.com/answers/750417/playing-with-data-ii.html?minQuestionBodyLength=80">https://answers.splunk.com/answers/750417/playing-with-data-ii.html?minQuestionBodyLength=80</A></P> Tue, 04 Jun 2019 18:03:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407737#M117749 reverse 2019-06-04T18:03:03Z Re: How to create difference of two values https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407738#M117750 <P>Good to know. Thanks</P> Tue, 04 Jun 2019 18:03:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-difference-of-two-values/m-p/407738#M117750 Vijeta 2019-06-04T18:03:04Z