How do you subtract two column values in Splunk?

Mohsin123 — Wed, 26 Sep 2018 09:43:14 GMT

Hi team,

say i have a column like this :

_time    A
11pm  30
10pm  40

I have to subtract 40-30 and store in a new field

How do I achieve this?

Re: How do you subtract two column values in Splunk?

harishalipaka — Wed, 26 Sep 2018 09:50:52 GMT

hi @Mohsin123

try this

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Re: How do you subtract two column values in Splunk?

Mohsin123 — Wed, 26 Sep 2018 09:55:35 GMT

thanks but what if i have to do this with n coloumns , its row 2 value - the row 1 value

Re: How do you subtract two column values in Splunk?

ritchierich — Wed, 30 Sep 2020 04:00:26 GMT

Splunk active/inactive users

<input type="radio" token="active_account">
  <label>Active accounts</label>
  <choice value="*">all</choice>
  <choice value="1">active</choice>
  <choice value="0">inactive</choice>
  <default>1</default>
</input>
<input type="text" token="user_field" searchWhenChanged="true">
  <label>User:</label>
  <default>*</default>
</input>
<input type="text" token="role_field" searchWhenChanged="true">
  <label>Role:</label>
  <default>*</default>
</input>


<panel>
  <table>
    <search>
      <query>| rest /services/authentication/users   | dedup title   | rename title as user | eval firstHit=0  | eval lastHit=0 | eval active=1 | table user, firstHit, lastHit, roles, active  | inputlookup append=true splunk_users | eval user=if(isnull(_key), user, _key)  | stats max(firstHit) as firstHit, max(lastHit) as lastHit, values(roles) as roles, max(active) as active by user | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(firstHit) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(lastHit)  | eval active=if(active==1, active, 0) | search user="$user_field$" | search active=$active_account$ | search roles="$role_field$"</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">100</option>
  </table>
</panel>

User/Role/Index Management

<panel>
  <title>Splunk indexes with corresponding roles</title>
  <input type="radio" token="view_field1" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index</default>
  </input>
  <input type="text" token="role_field1" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field1">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup  admin_role_indexes

| eval index = mvappend(srchIndexesAllowed, imported_srchIndexesAllowed) | fields role, index $view_field1$ | search role=$role_field1$ | search index=$index_field1$
| dedup role
| rex field=index max_match=200 "(?<idx>\w+)"
| lookup admin_indexes_data_owners index as idx
| stats values(index) as index, values(data_owner) as data_owner by role
-15m@m
now

20
none
none
false
true

<panel>
  <title>Splunk users details</title>
  <input type="radio" token="view_field2" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index | nomv role">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index | nomv role</default>
  </input>
  <input type="text" token="user_field2" searchWhenChanged="true">
    <label>User:</label>
    <default>*</default>
  </input>
  <input type="text" token="role_field2" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field2">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup admin_user_index_role | rename roles as role  $view_field2$ | search user=$user_field2$ | search role=$role_field2$ | search index=$index_field2$ | lookup splunk_users _key as user OUTPUT lastHit as last_seen| eval user=if(isnull(_key), user, _key) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(last_seen) | table user, last_seen, index, role | eval last_seen=if(isnull(last_seen), "never", last_seen)</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">20</option>
  </table>
</panel>

topic How do you subtract two column values in Splunk? in Splunk Search

How do you subtract two column values in Splunk?

Re: How do you subtract two column values in Splunk?

Re: How do you subtract two column values in Splunk?

Re: How do you subtract two column values in Splunk?