topic Re: How to subtract values from same field in subsequent event and with the resulted values i want to make a chart in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-subtract-values-from-same-field-in-subsequent-event-and/m-p/486161#M136029 <P>Does <CODE>... | streamstats window=2 range(Published) as result</CODE> do what you need?</P> Thu, 26 Sep 2019 01:28:15 GMT richgalloway 2019-09-26T01:28:15Z How to subtract values from same field in subsequent event and with the resulted values i want to make a chart https://community.splunk.com/t5/Splunk-Search/How-to-subtract-values-from-same-field-in-subsequent-event-and/m-p/486160#M136028 <P>Hi All,</P> <P>I am new to Splunk. please help me here on this requirement.</P> <P>i would like to check if there is any possibility to subtract the values from a same field in subsequent event.</P> <P>For Example i have below two events in two different time stamps.</P> <P>9/24/19<BR /> 6:52:22.000 PM </P> <P>[Tue Sep 24 16:52:22 GMT 2019] [UM Server Status Generator] [com.pcbsys.foundation] - ServerStatusLog&gt; Memory=1401, Direct=4096, EventMemory=0, Disk=224766, CPU=10.75, Scheduled=468, Queued=0, Connections=3, BytesIn=626255, BytesOut=113227133, Published=1677085616, Consumed=1677214707, QueueSize=0, ClientsSize=0, CommQueueSize=0</P> <P>9/24/19<BR /> 6:52:17.000 PM </P> <P>[Tue Sep 24 16:52:17 GMT 2019] [UM Server Status Generator] [com.pcbsys.foundation] - ServerStatusLog&gt; Memory=1607, Direct=4096, EventMemory=0, Disk=224811, CPU=4.62, Scheduled=468, Queued=0, Connections=3, BytesIn=626255, BytesOut=113207677, Published=1677078549, Consumed=1677207640, QueueSize=0, ClientsSize=0, CommQueueSize=0</P> <P>Now the result should be on this Field(Published) 1677085616 - 1677078549= result.</P> <P>........</P> <P>In the same way ,if i have next event in another time stamp, in fact every 5 seconds i have another event .</P> <P>9/24/19<BR /> 6:52:12.000 PM </P> <P>[Tue Sep 24 16:52:12 GMT 2019] [UM Server Status Generator] [com.pcbsys.foundation] - ServerStatusLog&gt; Memory=1710, Direct=4096, EventMemory=0, Disk=224404, CPU=6.25, Scheduled=467, Queued=0, Connections=3, BytesIn=626255, BytesOut=113183513, Published=1677076834, Consumed=1677205925, QueueSize=1, ClientsSize=0, CommQueueSize=0</P> <P>Now it would be like previous event field(Published) value - this event field(published) value, so it would be 1677078549 -1677076834= result.</P> <P>at the end with the resulted values i want to make a graph on the respective times.</P> <P>Thanks &amp; Regards,<BR /> Harish</P> Wed, 25 Sep 2019 23:28:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-values-from-same-field-in-subsequent-event-and/m-p/486160#M136028 harishbabu 2019-09-25T23:28:06Z Re: How to subtract values from same field in subsequent event and with the resulted values i want to make a chart https://community.splunk.com/t5/Splunk-Search/How-to-subtract-values-from-same-field-in-subsequent-event-and/m-p/486161#M136029 <P>Does <CODE>... | streamstats window=2 range(Published) as result</CODE> do what you need?</P> Thu, 26 Sep 2019 01:28:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-values-from-same-field-in-subsequent-event-and/m-p/486161#M136029 richgalloway 2019-09-26T01:28:15Z