https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516911#M145308 <P>&nbsp;</P><LI-CODE lang="markup">| stats earliest(rank) as earliest_rank latest(rank) as latest_rank by user | eval final_rank = latest_rank-earliest_rank | table user final_rank</LI-CODE><P>&nbsp;</P> Sun, 30 Aug 2020 14:02:56 GMT thambisetty 2020-08-30T14:02:56Z https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516908#M145307 <P>Hello,</P> <P>Each event represents a user state and every user has rank.</P> <P>data look as follow :</P> <TABLE border="1" width="54.985955056179776%"> <TBODY> <TR> <TD width="25%" height="25px">time</TD> <TD width="25%" height="25px">rank</TD> <TD width="25%" height="25px">user</TD> </TR> <TR> <TD width="25%" height="25px">time1</TD> <TD width="25%" height="25px">30</TD> <TD width="25%" height="25px">2</TD> </TR> <TR> <TD>time1</TD> <TD>50</TD> <TD>1</TD> </TR> <TR> <TD>time2</TD> <TD>25</TD> <TD>2</TD> </TR> <TR> <TD>time2</TD> <TD>51</TD> <TD>1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Any idea on how to group events by time, and subtract the earliest rank from the latest rank for each user?</P> <P>M</P> Mon, 31 Aug 2020 23:12:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516908#M145307 amoulkaf 2020-08-31T23:12:10Z https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516911#M145308 <P>&nbsp;</P><LI-CODE lang="markup">| stats earliest(rank) as earliest_rank latest(rank) as latest_rank by user | eval final_rank = latest_rank-earliest_rank | table user final_rank</LI-CODE><P>&nbsp;</P> Sun, 30 Aug 2020 14:02:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516911#M145308 thambisetty 2020-08-30T14:02:56Z https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516916#M145311 <P>Have you more than two times/ranks for particular user and are there at least two ranks per user?</P><P>r. Ismo</P> Sun, 30 Aug 2020 14:28:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/516916#M145311 isoutamo 2020-08-30T14:28:36Z https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/517068#M145363 <P>Yes, same user can have more than two times/ranks.<BR />Solution sugjested byt thambisetty takes that into account and works perfectly.<BR />Thanks</P><DIV class="lia-message-author-avatar lia-component-author-avatar lia-component-message-view-widget-author-avatar"><DIV class="UserAvatar lia-user-avatar lia-component-common-widget-user-avatar"><P>&nbsp;</P></DIV></DIV><P>&nbsp;</P> Mon, 31 Aug 2020 16:52:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-events-subtract-earliest-rank-from-latest-rank-per/m-p/517068#M145363 amoulkaf 2020-08-31T16:52:05Z