topic Re: Column value differences in Splunk Search

Column value differences

Chinmai — Wed, 22 Mar 2017 11:50:08 GMT

Hello Guys,

I have columns like column1, coulmn2, column3... and I want output as column1, column2=column2-column1, column3=column3-column2, col4=col4-col3...

Is there any way to write search query for this?

Thanks in advance.

maffreitas — Wed, 22 Mar 2017 14:25:52 GMT

Hi, you can thy this:

index=xpto source=abc | eval column2a = column2 - column1, column3a = column3 - column2 | table column2a, column3a

adonio — Wed, 22 Mar 2017 14:59:11 GMT

use the eval command / function
... | eval newColumn = columnX - columnY
more on this topic here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

somesoni2 — Wed, 22 Mar 2017 15:25:17 GMT

How many rows do you get? Do you have other columns as well other than columnNs where N=1,2,3...?

Chinmai — Thu, 23 Mar 2017 07:09:38 GMT

Hello All,

Thanks for your answers, but the columns number is more. I cannot do colY=colY-colX every time, is there any better solution?

I have around 20-30 rows as output and other than columns col1,col2,col3.. I have another one column which I am using in my by clause of search query