https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371294#M165856 <P>Hi Splunk Experts,<BR /> I need to create a report to display the table record count difference between two databases during a period of time.</P> <P>Events (list) are captured as follow:<BR /> db_name table_name row_count<BR /> x a 4<BR /> x b 3<BR /> y a 4<BR /> y b 1</P> <P>Report should look like this:</P> <P>table_name x y rec_diff <BR /> a 4 4 0<BR /> b 3 1 2</P> <P>Any help will be very appreciated.</P> Tue, 29 Sep 2020 16:03:45 GMT romoc 2020-09-29T16:03:45Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371294#M165856 <P>Hi Splunk Experts,<BR /> I need to create a report to display the table record count difference between two databases during a period of time.</P> <P>Events (list) are captured as follow:<BR /> db_name table_name row_count<BR /> x a 4<BR /> x b 3<BR /> y a 4<BR /> y b 1</P> <P>Report should look like this:</P> <P>table_name x y rec_diff <BR /> a 4 4 0<BR /> b 3 1 2</P> <P>Any help will be very appreciated.</P> Tue, 29 Sep 2020 16:03:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371294#M165856 romoc 2020-09-29T16:03:45Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371295#M165857 <P>|chart values(row_count) over table_name by db_name |eval rec_diff=x-y|table table_name * rec_diff</P> Tue, 29 Sep 2020 16:00:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371295#M165857 xisura 2020-09-29T16:00:06Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371296#M165858 <P>@romoc, does your table always have 4 rows? Will it have only two rows for specific table_name one for each x and y? If not please add more sample data and correlation. If so following answer by @xisura should work.</P> Mon, 02 Oct 2017 03:12:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371296#M165858 niketn 2017-10-02T03:12:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371297#M165859 <P>Hi Niketnilay,<BR /> That was just a sample of records - there would be more tables to compare and the list could grow over the time. What is a fact, there would be always two databases to compare - x and y in this case.</P> Mon, 02 Oct 2017 16:57:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371297#M165859 romoc 2017-10-02T16:57:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371298#M165860 <P>Thanks Xisure - I tried your suggestion but it get no results found. By the way, x and y are the possible values for field db_name so, I'm not sure if the eval function is expressed correctly. For example, this is in fact how some events (from all the list of possible events) look like:</P> <P>DB_NAME="x", TABLE_NAME="a", SNAP_DATE="2017-09-30 21:17:16.267", ROW_COUNT="183"<BR /> DB_NAME="y", TABLE_NAME="a", SNAP_DATE="2017-10-01 01:12:35.0", ROW_COUNT="180"<BR /> DB_NAME="y", TABLE_NAME="b", SNAP_DATE="2017-09-30 21:17:16.267", ROW_COUNT="1731"<BR /> DB_NAME="x", TABLE_NAME="b", SNAP_DATE="2017-10-01 01:12:35.0", ROW_COUNT="1738"</P> <P>I will appreciate any help.</P> <P>Thanks</P> Tue, 29 Sep 2020 16:00:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371298#M165860 romoc 2020-09-29T16:00:16Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371299#M165861 <P>If that is the case, the answer by @xisura should work. Please try out and confirm.</P> Mon, 02 Oct 2017 17:25:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371299#M165861 niketn 2017-10-02T17:25:47Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371300#M165862 <P>Thanks xisura - I tried your suggestion but unfortunately I get "no results found". I want to clarify also that x and y are the two possible values for db_name and I'm not sure if function eval rec_diff=x-y would work. This is a sample of 4 events captured: </P> <P>2017-10-01 01:47:16.541, DB_NAME="x", TABLE_NAME="a", SNAP_DATE="2017-09-30 21:47:16.2", ROW_COUNT="183"<BR /> 2017-10-01 01:42:36.069, DB_NAME="y", TABLE_NAME="a", SNAP_DATE="2017-10-01 01:42:35.0", ROW_COUNT="183"<BR /> 2017-10-01 01:47:16.541, DB_NAME="x", TABLE_NAME="b", SNAP_DATE="2017-09-30 21:47:16.2", ROW_COUNT="1731"<BR /> 2017-10-01 01:42:36.069, DB_NAME="y", TABLE_NAME="b", SNAP_DATE="2017-10-01 01:42:35.0", ROW_COUNT="1738"</P> <P>I'll appreciate any help on this.<BR /> Thanks</P> Tue, 29 Sep 2020 16:00:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371300#M165862 romoc 2020-09-29T16:00:19Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371301#M165863 <P>Hi Niketnilay - I just replied @xisura. I'm not getting the expected results yet and provided further details. Hope you could have any other suggestion.</P> Mon, 02 Oct 2017 17:33:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371301#M165863 romoc 2017-10-02T17:33:02Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371302#M165864 <P>@romoc, <CODE>field names are case sensitive in Splunk</CODE>. In your question you had tabular data with lower case field names. However, in the raw events you seem to have upper case field names. So try the following:</P> <PRE><CODE>| chart first(ROW_COUNT) as ROW_COUNT over TABLE_NAME by DB_NAME | eval REC_DIFF=y-x | table TABLE_NAME x y REC_DIFF </CODE></PRE> <P>Following is a run anywhere search which mocks up data similar to your example above and then performs the chart function as </P> <PRE><CODE>| makeresults | eval data="x,a,183;x,b,1781;y,a,183;y,b,1783;x,c,150;x,d,1780;y,c,151;y,d,1785;" | makemv delim=";" data | mvexpand data | eval data=split(data,",") | eval DB_NAME=mvindex(data,0) | eval TABLE_NAME=mvindex(data,1) | eval ROW_COUNT=mvindex(data,2) | table DB_NAME TABLE_NAME ROW_COUNT | sort TABLE_NAME DB_NAME | chart first(ROW_COUNT) as ROW_COUNT over TABLE_NAME by DB_NAME | eval REC_DIFF=y-x | table TABLE_NAME x y REC_DIFF </CODE></PRE> <P>PS: Commands till <CODE>| sort TABLE_NAME DB_NAME</CODE> generates the mock data for testing.</P> Mon, 02 Oct 2017 17:57:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371302#M165864 niketn 2017-10-02T17:57:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371303#M165865 <P>It worked like a charm! thanks @niketnilay!</P> Mon, 02 Oct 2017 18:05:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371303#M165865 romoc 2017-10-02T18:05:52Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371304#M165866 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/47492">@romoc</a>,</P> <P>I tried to simulate your case, I index the sample data you gave since there are key pair value which splunk will auto extract for you in search time , i dont need to manually extract it. So I run my search </P> <P>index="test" sourcetype="test2" source="/home/Documents/test2.txt" |chart values(ROW_COUNT) over TABLE_NAME by DB_NAME |eval REC_DIFF=x-y|table TABLE_NAME x y REC_DIFF</P> <P>and it works <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>note: I use the "*" on my first answer inside the table so i twill show all the values under DB_NAME in order also values are not static.</P> Tue, 29 Sep 2020 16:00:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-calculated-column-in-a-table/m-p/371304#M165866 xisura 2020-09-29T16:00:34Z