https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639209#M221484 <P>Thanks you so much for a quick help. I got the result as expected <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Today I learned that single quotes denotes a field and double quotes denotes a string. Thanks a lot ...</P> Fri, 07 Apr 2023 14:15:09 GMT RanjiRaje 2023-04-07T14:15:09Z https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639190#M221474 <P>Hi everyone, My post is huge. sorry for that. I need suggestion from you for the query I framed.</P><P>I have 2 lookup used (lookfileA, lookfileB)</P><P>column: <STRONG>BaseA</STRONG> &gt; count by division in lookupfileA<BR />column: <STRONG>Column_IndexA</STRONG> &gt; to compare lookfileA under indexA and get matching host count<BR />column: <STRONG>BaseB</STRONG> &gt; count by division in lookupfileB<BR />column: <STRONG>Inscope</STRONG> &gt; count by division in lookupfileB with Active status<BR />column: <STRONG>Column_OtherIndexes</STRONG> &gt; to compare lookfileB under otherindexes and get matching host count</P><P>index=indexA<BR />| lookup <STRONG>lookfileA</STRONG> host as hostname OUTPUTNEW Division<BR />| fields hostname,Division<BR />| stats dc(hostname) as "<STRONG>Column_IndexA</STRONG>" by Division<BR />| append<BR />[| tstats count where index IN ("win","linux") by host<BR />| eval host=upper(host)<BR />| fields - count<BR />| join type=inner host<BR />[| inputlookup <STRONG>lookfileA</STRONG><BR />| fields host, Division<BR />| eval host=upper(host)]<BR />| stats count as "<STRONG>Column_OtherIndexes</STRONG>" by Division]<BR />| append<BR />[| inputlookup <STRONG>lookfileA</STRONG><BR />| stats count as "<STRONG>BaseA</STRONG>" by Division]<BR />| append<BR />[| inputlookup <STRONG>lookfileB</STRONG><BR />| stats count as <STRONG>BaseB</STRONG> by category<BR />| where category IN ("Win","Linux")<BR />| rename category as Division]<BR />| append<BR />[| inputlookup <STRONG>lookfileB</STRONG><BR />| stats count as <STRONG>Inscope</STRONG> by category,status<BR />| where category IN ("Win","Linux") AND status="Active"<BR />| rename category as Division]<BR />| fields Division,BaseB,Inscope,"Column_OtherIndexes","BaseA","Column_IndexA"<BR />| stats values(*) as * by Division<BR />| table Division,BaseB,Inscope,"Column_OtherIndexes","BaseA","Column_IndexA"<BR />| eval Difference="Column_IndexA" -&nbsp;"Column_OtherIndexes"<BR />| fillnull value=0<BR />| addtotals col=t row=f labelfield=Division label=Total</P><P>Below is the sample output and I need to get difference column. Used eval command but getting error</P><TABLE width="569"><TBODY><TR><TD width="64">Division</TD><TD width="64">BaseB</TD><TD width="64">Inscope</TD><TD width="145">Column_OtherIndexes</TD><TD width="64">BaseA&nbsp;</TD><TD width="104">Column_IndexA</TD><TD width="64"><STRONG>Difference</STRONG></TD></TR><TR><TD>M</TD><TD>300</TD><TD>200</TD><TD>50</TD><TD>300</TD><TD>200</TD><TD>200-50</TD></TR><TR><TD>N</TD><TD>200</TD><TD>100</TD><TD>20</TD><TD>300</TD><TD>200</TD><TD>200-20</TD></TR><TR><TD>Total</TD><TD>500</TD><TD>300</TD><TD>70</TD><TD>600</TD><TD>400</TD><TD>400-70</TD></TR></TBODY></TABLE> Fri, 07 Apr 2023 10:12:20 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639190#M221474 RanjiRaje 2023-04-07T10:12:20Z https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639206#M221482 <P>What error did you get from the <FONT face="courier new,courier">eval</FONT> command?</P><P>I suspect eval is having a problem substracting one string constant from another.&nbsp; Put the field names in single quotes rather than double quotes.&nbsp; On the RHS, single quotes denote a field name and double quotes denote a string.&nbsp; In fact, quotation marks are not needed at all with those names.</P><LI-CODE lang="markup">| eval Difference = 'Column_IndexA' - 'Column_OtherIndexes'</LI-CODE><P>&nbsp;</P> Fri, 07 Apr 2023 14:00:05 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639206#M221482 richgalloway 2023-04-07T14:00:05Z https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639209#M221484 <P>Thanks you so much for a quick help. I got the result as expected <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Today I learned that single quotes denotes a field and double quotes denotes a string. Thanks a lot ...</P> Fri, 07 Apr 2023 14:15:09 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch/m-p/639209#M221484 RanjiRaje 2023-04-07T14:15:09Z