https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147545#M185320 <P>Hi experts,</P> <P>I am trying to find a way of extracting information out of a search result and combining this information with another row. It's pretty hard to explain, so let me show you what I mean:</P> <P>Search: <STRONG>index=idx LogType="Locations"</STRONG></P> <P>Result:</P> <P><STRONG>_time | Latitude |Longitude</STRONG><BR /> 13:27:00 | 52.111 | 17.111<BR /> 13:30:00 | 52.222 | 17.222<BR /> 13:33:00 | 52.333 | 17.333<BR /> 13:36:00 | 52.444 | 17.444</P> <P>This is the basic search I got. Now I would like to calculate the distance between each of the result rows. I found a plugin called haversine (<A href="https://splunkbase.splunk.com/app/936/#/overview">https://splunkbase.splunk.com/app/936/#/overview</A>) which calculates the distance between two geo locations, so that is not really the problem, but what I'm really struggling with is to combine two rows of this search. </P> <P>Ultimately, in the above example it should calculate three distances, dist(52.444, 17.444 -&gt; 52.333, 17.333), dist(52.333, 17.333 -&gt; 52.222, 17.222) and dist(52.222, 17.222 -&gt; 52.111, 17.111).</P> <P>So the final result could look like this:</P> <P><STRONG>_time | Distance</STRONG><BR /> 13:36:00 | 5000<BR /> 13:33:00 | 4800<BR /> 13:30:00 | 4600</P> <P>Does anyone have an idea how something like this would be possible? </P> <P>Thanks a lot,<BR /> Christian</P> Mon, 20 Apr 2015 07:57:30 GMT MemoreX42 2015-04-20T07:57:30Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147545#M185320 <P>Hi experts,</P> <P>I am trying to find a way of extracting information out of a search result and combining this information with another row. It's pretty hard to explain, so let me show you what I mean:</P> <P>Search: <STRONG>index=idx LogType="Locations"</STRONG></P> <P>Result:</P> <P><STRONG>_time | Latitude |Longitude</STRONG><BR /> 13:27:00 | 52.111 | 17.111<BR /> 13:30:00 | 52.222 | 17.222<BR /> 13:33:00 | 52.333 | 17.333<BR /> 13:36:00 | 52.444 | 17.444</P> <P>This is the basic search I got. Now I would like to calculate the distance between each of the result rows. I found a plugin called haversine (<A href="https://splunkbase.splunk.com/app/936/#/overview">https://splunkbase.splunk.com/app/936/#/overview</A>) which calculates the distance between two geo locations, so that is not really the problem, but what I'm really struggling with is to combine two rows of this search. </P> <P>Ultimately, in the above example it should calculate three distances, dist(52.444, 17.444 -&gt; 52.333, 17.333), dist(52.333, 17.333 -&gt; 52.222, 17.222) and dist(52.222, 17.222 -&gt; 52.111, 17.111).</P> <P>So the final result could look like this:</P> <P><STRONG>_time | Distance</STRONG><BR /> 13:36:00 | 5000<BR /> 13:33:00 | 4800<BR /> 13:30:00 | 4600</P> <P>Does anyone have an idea how something like this would be possible? </P> <P>Thanks a lot,<BR /> Christian</P> Mon, 20 Apr 2015 07:57:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147545#M185320 MemoreX42 2015-04-20T07:57:30Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147546#M185321 <P>The way to go when you want to compare two (or more) rows is <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Streamstats">streamstats</A>. I would imagine that you could set <CODE>window=2</CODE> and use <CODE>last()</CODE> to get the value from the previous row (don't forget to set <CODE>current=false</CODE> for this to work), then input those two into haversine.</P> Mon, 20 Apr 2015 08:36:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147546#M185321 jeffland 2015-04-20T08:36:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147547#M185322 <P>Hi,</P> <P>used your example data i used </P> <PRE><CODE>index=temp sourcetype=distance | streamstats current=f last(Longitude) as lastLongitude last(Latitude) as lastLatitude | eval lastlocation= lastLatitude + " , " + lastLongitude | eval currlocation = Latitude + " , " + Longitude | search lastlocation=* AND currlocation=* | haversine originField=lastlocation currlocation outputField=distance | table _time lastlocation currlocation distance </CODE></PRE> <P>output is:</P> <P>_time lastlocation currlocation distance<BR /> 2015-04-19 13:33:00 52.444 , 17.444 52.333 , 17.333 14.459705438259151<BR /> 2015-04-19 13:30:00 52.333 , 17.333 52.222 , 17.222 14.469574885347384<BR /> 2015-04-19 13:27:00 52.222 , 17.222 52.111 , 17.111 14.47944752893998</P> <P>Cheers,</P> <P>Andreas</P> Mon, 20 Apr 2015 09:37:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-information-from-two-rows-in-a-search-result/m-p/147547#M185322 schose 2015-04-20T09:37:15Z