https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179509#M51678 <P>I would try using <CODE>mvlist=Value1</CODE> inside your <CODE>transaction</CODE> declaration and then <CODE>eval</CODE>ing the value you're looking for. Something like this.</P> <PRE><CODE>index="test" | transaction ID startswith="start" endswith="end" mvlist=Value1 | eval firstValue1=mvindex(Value1,0) | eval secondValue1=mvindex(Value1,1) | eval value1Diff=firstValue1 - secondValue1 | table ID Timestamp value1Diff trigger duration </CODE></PRE> Tue, 04 Nov 2014 18:33:10 GMT wpreston 2014-11-04T18:33:10Z https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179506#M51675 <P>Hi,</P> <P>I would like to use transaction to calculate the difference between multiple fields.<BR /> with this...</P> <PRE><CODE>index="test" | transaction ID startswith="start" endswith="end" | table ID Timestamp Value1 trigger duration </CODE></PRE> <P>i get..</P> <PRE><CODE>ID Timestamp Value1 trigger duration 123 04.11.14 15:00 44 start 60.00 04.11.14 15:01 30 end </CODE></PRE> <P>what i need is the difference of Value1 and the duration like this...</P> <PRE><CODE>ID Timestamp Value1 trigger duration 123 04.11.14 15:00 14 60.00 </CODE></PRE> <P>Does anyone know how to subtract two Values in a Transaction?</P> Tue, 04 Nov 2014 12:10:36 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179506#M51675 joza89 2014-11-04T12:10:36Z https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179507#M51676 <P>Have you looked at addtotals or addcoltotals? I'm not 100% sure how they react inside of a transaction though. It might work for the duration, but for Value1 it looks like you'd really need a subtractcoltotals which doesn't exist.</P> Tue, 04 Nov 2014 13:27:14 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179507#M51676 jeremiahc4 2014-11-04T13:27:14Z https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179508#M51677 <P>Did not work, unfortunately.<BR /> i also tried eventstats sum(Value1) as sum value this gives me the sum of all Value1s and not only in that transaction.</P> Tue, 04 Nov 2014 13:46:47 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179508#M51677 joza89 2014-11-04T13:46:47Z https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179509#M51678 <P>I would try using <CODE>mvlist=Value1</CODE> inside your <CODE>transaction</CODE> declaration and then <CODE>eval</CODE>ing the value you're looking for. Something like this.</P> <PRE><CODE>index="test" | transaction ID startswith="start" endswith="end" mvlist=Value1 | eval firstValue1=mvindex(Value1,0) | eval secondValue1=mvindex(Value1,1) | eval value1Diff=firstValue1 - secondValue1 | table ID Timestamp value1Diff trigger duration </CODE></PRE> Tue, 04 Nov 2014 18:33:10 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179509#M51678 wpreston 2014-11-04T18:33:10Z https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179510#M51679 <P>Worked, Thank you for your help</P> Wed, 05 Nov 2014 09:28:01 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-substitution-of-multiple-fields/m-p/179510#M51679 joza89 2014-11-05T09:28:01Z