https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639455#M221558 <BLOCKQUOTE><HR />How to compare last value with the second last value?<DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><SPAN>....</SPAN></DIV><DIV class=""><SPAN>I want to compare the last record 80 with that of 67( last value and want to write whether the value was 'greater' or 'smaller' in the output.</SPAN></DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P class="lia-align-left">In above case 55 was greater so my output should say GREATER. ...</P></DIV></DIV></DIV></DIV></DIV><HR /></BLOCKQUOTE><P>You may need to describe the use case with consistency. &nbsp;The title says last vs 7th last, which kinda agrees with 80 vs 67. &nbsp;Then, the opening sentence says last with second last; and the last sentence cites a number 55 which is neither the 7th last nor the second last.</P><P>Here, I'll take 7th last. &nbsp;The following statement also needs clarification:</P><BLOCKQUOTE><HR />Say I have a column with N records in it<BR /><HR /></BLOCKQUOTE><P>Does this mean that the column is multivalued with 7 records, or does it mean that you have 7 separate events with this column?</P><P>If former, a semantical interpretation of your requirement (compare with 7th last) is</P><LI-CODE lang="markup">| eval output = if(tonumber(mvindex(column, -1)) - tonumber(mvindex(column, -7)) &gt; 0, "GREATER", "SMALLER or EQUAL")</LI-CODE><P>If latter, you first make the column multivalued with original sequence.</P><LI-CODE lang="markup">| stats list(column) as column | eval output = if(tonumber(mvindex(column, -1)) - tonumber(mvindex(column, -7)) &gt; 0, "GREATER", "SMALLER or EQUAL")</LI-CODE><P>Here, I also do not know if you want EQUAL to be a separate output so I'm using the simplest if() function. &nbsp;If you need a separate EQUAL, it would be more economic to save output of mvindex to variables (fields) before applying case() command.</P><P>Hope this helps.</P> Tue, 11 Apr 2023 06:57:32 GMT yuanliu 2023-04-11T06:57:32Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639440#M221553 <DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class="">How to compare last value with the second last value?</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P>Say I have a column with N records in it<BR />88<BR />22<BR />67. --&gt;<BR />44<BR />55<BR />12<BR />44<BR />75<BR />80 --&gt;</P><P>I want to compare the last record 80 with that of 67( last value and want to write whether the value was 'greater' or 'smaller' in the output.</P><P class="lia-align-left">In above case 55 was greater so my output should say GREATER. Do we have any command to accomplish this?</P></DIV></DIV></DIV></DIV></DIV> Tue, 11 Apr 2023 01:44:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639440#M221553 aguasd12 2023-04-11T01:44:50Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639442#M221554 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/255718">@aguasd12</a>&nbsp;<BR /><BR />An interesting use case.&nbsp; Something like this should work...<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval n=mvrange(0,80) | mvexpand n | eval n=substr(tostring(n * random()), 1, 2) ``` above just creates dummy results ``` ``` add the following to you query ``` | streamstats count | where count=67 OR count=80 | table count n | transpose header_field="count" | eval status=case(('67'=='80'), "EQUAL", ('67' &gt; '80'), "GREATER THAN", ('67' &lt; '80'), "LESS THAN")</LI-CODE><P>Hope that helps</P> Tue, 11 Apr 2023 03:27:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639442#M221554 yeahnah 2023-04-11T03:27:50Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639443#M221555 <P>On rereading your question I see I misunderstood it, initially.&nbsp; This should meet you use case&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval n=mvrange(0,100) | mvexpand n | eval n=substr(tostring(n * random()), 1, 2) ``` above just creates dummy results ``` ``` add the following to your query ``` | streamstats count | eventstats max(count) as total_rows | eval 7thlast=(total_rows-7) | where count='7thlast' OR count='total_rows' | table count n 7thlast total_rows | transpose | where column="n" | rename "row 1" AS 7thlast, "row 2" AS last | eval status=case(('7thlast'=='last'), "EQUAL", ('7thlast' &gt; 'last'), "GREATER THAN", ('7thlast' &lt; 'last'), "LESS THAN")</LI-CODE><P>&nbsp;</P> Tue, 11 Apr 2023 04:12:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639443#M221555 yeahnah 2023-04-11T04:12:33Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639455#M221558 <BLOCKQUOTE><HR />How to compare last value with the second last value?<DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><SPAN>....</SPAN></DIV><DIV class=""><SPAN>I want to compare the last record 80 with that of 67( last value and want to write whether the value was 'greater' or 'smaller' in the output.</SPAN></DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P class="lia-align-left">In above case 55 was greater so my output should say GREATER. ...</P></DIV></DIV></DIV></DIV></DIV><HR /></BLOCKQUOTE><P>You may need to describe the use case with consistency. &nbsp;The title says last vs 7th last, which kinda agrees with 80 vs 67. &nbsp;Then, the opening sentence says last with second last; and the last sentence cites a number 55 which is neither the 7th last nor the second last.</P><P>Here, I'll take 7th last. &nbsp;The following statement also needs clarification:</P><BLOCKQUOTE><HR />Say I have a column with N records in it<BR /><HR /></BLOCKQUOTE><P>Does this mean that the column is multivalued with 7 records, or does it mean that you have 7 separate events with this column?</P><P>If former, a semantical interpretation of your requirement (compare with 7th last) is</P><LI-CODE lang="markup">| eval output = if(tonumber(mvindex(column, -1)) - tonumber(mvindex(column, -7)) &gt; 0, "GREATER", "SMALLER or EQUAL")</LI-CODE><P>If latter, you first make the column multivalued with original sequence.</P><LI-CODE lang="markup">| stats list(column) as column | eval output = if(tonumber(mvindex(column, -1)) - tonumber(mvindex(column, -7)) &gt; 0, "GREATER", "SMALLER or EQUAL")</LI-CODE><P>Here, I also do not know if you want EQUAL to be a separate output so I'm using the simplest if() function. &nbsp;If you need a separate EQUAL, it would be more economic to save output of mvindex to variables (fields) before applying case() command.</P><P>Hope this helps.</P> Tue, 11 Apr 2023 06:57:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-last-value-with-the-7th-last-value/m-p/639455#M221558 yuanliu 2023-04-11T06:57:32Z