https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467267#M131506 <P>thanks aberkov, that did the trick. I just needed to add an 'AND' between the conditions on line 5, and add the 'chart p95(durationA) p95(durationB) p95(delta_duration)' at the end</P> Wed, 18 Dec 2019 21:55:18 GMT econstantin 2019-12-18T21:55:18Z https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467264#M131503 <P>I've got two different events that have identical data points, including an id. I'd like to join the events on an id and then find the delta between a field that's found in each one.</P> <P>For example</P> <PRE><CODE>Event1: { type='eventA', id: '123', duration: 500} Event2: { type='eventB' ,id: '123', duration: 550} Event3: { type='eventB' ,id: '456', duration: 200} // this one should be ignored since it doesn't have an id that found in both eventA and eventB </CODE></PRE> <P>I'd like to get some output like this:</P> <PRE><CODE>p95(eventA_duration) p95(eventB_duration) p95(delta_duration) </CODE></PRE> <P>(i.e. I think there'd be something in there like: <CODE>| eval delta_duration = eventB_duration - eventA_duration</CODE> )</P> <P>Many thanks!</P> Wed, 18 Dec 2019 02:17:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467264#M131503 econstantin 2019-12-18T02:17:35Z https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467265#M131504 <P>So eval will only work if you have both fields in the same row, which won't work until you've aggregated your two rows into one. That being said, you have to rename the fields so as not to lose them when you convert them (or you can make it a multivalue field and deal with some splitting and other stuff). I'd suggest something like this:</P> <PRE><CODE>baseSearch | eval durationEventA = if(type="eventA", duration, null()) | eval durationEventB = if(type="eventB", duration, null()) | stats values(durationEventA) as durationEventA, values(durationEventB) as durationEventB by id | where isnotnull(durationEventA) isnotnull(durationEventB) | eval delta_duration= durationEventB - durationEventA </CODE></PRE> <P>What I'm doing here: creating two fields on each log that will either be null or have a duration, then aggregating them by id, filtering out those that don't have both, and taking the delta.</P> <P>Hope this helps!</P> Wed, 18 Dec 2019 16:53:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467265#M131504 aberkow 2019-12-18T16:53:26Z https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467266#M131505 <P>Like this:</P> <PRE><CODE>index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" | eventstats count(eval(type="eventA")) AS eventAcount BY id | where eventAcount &gt; 0 | eval {type}_duration = duration | eventstats range(duration) AS delta_duration BY ID | stats perc95(eventA_duration) perc95(eventB_duration) perc95(delta_duration) </CODE></PRE> Wed, 18 Dec 2019 19:57:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467266#M131505 woodcock 2019-12-18T19:57:55Z https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467267#M131506 <P>thanks aberkov, that did the trick. I just needed to add an 'AND' between the conditions on line 5, and add the 'chart p95(durationA) p95(durationB) p95(delta_duration)' at the end</P> Wed, 18 Dec 2019 21:55:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-events-on-an-id-and-subtract-values-from-same-named/m-p/467267#M131506 econstantin 2019-12-18T21:55:18Z