https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514532#M144417 <P>I didn't get the results.&nbsp;&nbsp;</P><P>&lt;Index Search&gt;|&nbsp;</P><P>in verbose mode returns&nbsp;</P><P>1. OS=Win Category=purchased Numbers=100</P><P>2. OS=Unix Category=purchased Numbers= 200</P><P>3. OS=Win Category=sold Number=50</P><P>4. OS=Unix Category=sold Number=125</P><P>My search scenario is, if OS is Windows, I want to calculate the remaining count which is purchased - sold. How to do this.</P><P>&nbsp;</P> Mon, 17 Aug 2020 19:49:02 GMT sstanlee 2020-08-17T19:49:02Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514502#M144402 <P>Consider the below types of events</P><P>fields&nbsp; :&nbsp; &nbsp; &nbsp;OS&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;transaction&nbsp; &nbsp; &nbsp; numbers</P><P>Events:&nbsp; &nbsp; &nbsp;Win&nbsp; &nbsp; &nbsp; &nbsp; purchased&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;150</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Unix&nbsp; &nbsp; &nbsp; &nbsp;purchased&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;200</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Win&nbsp; &nbsp; &nbsp; &nbsp; sold&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;100</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Unix&nbsp; &nbsp; &nbsp; &nbsp;sold&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;125</P><P>I want the results to be:</P><P>&nbsp;</P><P>OS&nbsp; &nbsp; &nbsp; InHand(purchased-sold)</P><P>Win&nbsp; &nbsp; &nbsp; 50</P><P>Unix&nbsp; &nbsp; &nbsp;75</P><P>&nbsp;</P><P>How to do this?</P> Mon, 17 Aug 2020 17:13:36 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514502#M144402 sstanlee 2020-08-17T17:13:36Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514518#M144408 <LI-CODE lang="markup">| makeresults | eval _raw="OS,transaction,numbers Win,purchased,150 Unix,purchased,200 Win,sold,100 Unix,sold,125" | multikv forceheader=1 | xyseries OS transaction numbers | eval InHand=purchased-sold | table OS InHand</LI-CODE><P>&nbsp;</P><P>upvote if my answer solves your problem.</P> Mon, 17 Aug 2020 19:07:27 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514518#M144408 thambisetty 2020-08-17T19:07:27Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514532#M144417 <P>I didn't get the results.&nbsp;&nbsp;</P><P>&lt;Index Search&gt;|&nbsp;</P><P>in verbose mode returns&nbsp;</P><P>1. OS=Win Category=purchased Numbers=100</P><P>2. OS=Unix Category=purchased Numbers= 200</P><P>3. OS=Win Category=sold Number=50</P><P>4. OS=Unix Category=sold Number=125</P><P>My search scenario is, if OS is Windows, I want to calculate the remaining count which is purchased - sold. How to do this.</P><P>&nbsp;</P> Mon, 17 Aug 2020 19:49:02 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514532#M144417 sstanlee 2020-08-17T19:49:02Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514534#M144419 <P>I have shared query for the values you posted. I tried before posting and its working&nbsp;</P> Mon, 17 Aug 2020 20:02:53 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514534#M144419 thambisetty 2020-08-17T20:02:53Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514554#M144423 <LI-CODE lang="markup">index=_internal | head 1 | fields _raw _time | eval _raw="1. OS=Win Category=purchased Numbers=100 2. OS=Unix Category=purchased Numbers=200 3. OS=Win Category=sold Number=50 4. OS=Unix Category=sold Number=125" | multikv noheader=t | fields _raw _time | kv | rename COMMENT as "this is your sample" | eval Numbers=coalesce(Numbers,-1 * Number) | stats sum(Numbers) as "InHand(purchased-sold)" by OS</LI-CODE> Mon, 17 Aug 2020 21:47:43 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514554#M144423 to4kawa 2020-08-17T21:47:43Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514736#M144486 <P>I had more than 100 lines of data, but I quoted few as example.Initially it didnt work. I modified few of your code and it worked.&nbsp; Thanks a lot.&nbsp;</P> Tue, 18 Aug 2020 16:30:59 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514736#M144486 sstanlee 2020-08-18T16:30:59Z https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514737#M144487 <P>It worked. Thanks a lot.</P> Tue, 18 Aug 2020 16:31:35 GMT https://community.splunk.com/t5/Splunk-Search/Arithmetic-operation-on-fields-from-different-events/m-p/514737#M144487 sstanlee 2020-08-18T16:31:35Z