topic Re: would like to know how to get subtraction of field value in two different events in Splunk Search

would like to know how to get subtraction of field value in two different events

Ahmedkhalil — Thu, 09 Jul 2015 21:23:19 GMT

would like to know how to get subtraction of field value in two different events
i mean i have event A with field sum = 15
and event B with field sum = 20
i would like to create new field called diff that contain value = field of event B - field of event A

thanks in advance

Re: would like to know how to get subtraction of field value in two different events

MuS — Thu, 09 Jul 2015 21:31:42 GMT

Hi Ahmedkhalil,

you can use streamstats to achieve it. Using streamstats like this:

your base search here| streamstats current=f last(sum) AS last | eval diff=sum-last | table event sum diff

Hope this helps ...

cheers, MuS

Re: would like to know how to get subtraction of field value in two different events

Ahmedkhalil — Thu, 09 Jul 2015 21:38:39 GMT

i would like to get difference between two fields not summation
and also this events is transaction
so i need to get difference between events in same transaction

Re: would like to know how to get subtraction of field value in two different events

pradeepkumarg — Thu, 09 Jul 2015 21:41:38 GMT

What you are looking for is delta command

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Delta

Re: would like to know how to get subtraction of field value in two different events

MuS — Thu, 09 Jul 2015 21:54:34 GMT

Sorry my bad, I'm still a bit sleepy 😉 BTW your question states it's two events and not one transaction event.

Re: would like to know how to get subtraction of field value in two different events

Ahmedkhalil — Thu, 09 Jul 2015 21:55:12 GMT

ok it's good start how can i do this task at index time not search time

Re: would like to know how to get subtraction of field value in two different events

martin_mueller — Thu, 09 Jul 2015 21:55:59 GMT

You cannot do maths at index time, you're limited to regular expressions.

Re: would like to know how to get subtraction of field value in two different events

MuS — Thu, 09 Jul 2015 22:09:46 GMT

Another addition; if this is really in a Splunk transaction event, it will not work with delta nor streamstats. Both commands do their thing event based:

 For each event where field is a number, the delta command computes the difference, in search order, between the field value for the event and the field value for the previous event. The delta command writes this difference into newfield

The same is with streamstats ....

Re: would like to know how to get subtraction of field value in two different events

Ahmedkhalil — Thu, 09 Jul 2015 23:32:30 GMT

but below example from search referance delta examples and contain same example that i can use
sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | eval timeDelta=tostring(timeDelta,"duration")

Re: would like to know how to get subtraction of field value in two different events

Ahmedkhalil — Thu, 09 Jul 2015 23:33:29 GMT

ok but problem is that i will use this field many times in dashboards and it's alot of data So execute this search command each time will make reports and dashboard slow

Re: would like to know how to get subtraction of field value in two different events

MuS — Fri, 10 Jul 2015 01:13:48 GMT

Yes, if your after transaction event has a single value field which can be used with delta it will work....But you have a transaction with a multi value field called sum and this cannot be used in delta .....