topic Re: How to calculate the difference between two fields from different files? in Splunk Search

How to calculate the difference between two fields from different files?

rahul_monty — Mon, 24 Aug 2015 09:51:11 GMT

I have two different files abc and abc1. Both have two fields TS1 and TS2. I just want to calculate difference between TS2 of abc1 with TS1 of ABC. I'm new here so please help me guys. Thanx in Advance..

Re: How to calculate the difference between two fields from different files?

skoelpin — Mon, 24 Aug 2015 13:43:32 GMT

Are they both going to the same index? If so then it would be easy, you need to use the eval command which will create a new field (Diff) which will then have the difference between TS2 and TS1

index=blah TS1 TS2 | eval Diff=TS2-TS1 | table Diff

index=blah is where you define what index you want to search in
TS1 TS2 is calling those fields within index=blah for faster search performance
|eval is a command in splunk which will make a new field called Diff which will store the difference between TS2 and TS1
|table Diff will create a table with a column called Diff which will display the difference between TS2 and TS1

Re: How to calculate the difference between two fields from different files?

somesoni2 — Mon, 24 Aug 2015 15:47:46 GMT

Will need more information than this. How is your data stored in Splunk for these two files, What type of difference you want to check, any sample values?

Re: How to calculate the difference between two fields from different files?

chanmi2 — Tue, 25 Aug 2015 01:07:11 GMT

You may try this:

index=sth source="abc" | table TS1 | appendcols [search index=sth source="abc1" | table TS2 | rename TS2 as abc1_TS2] | eval Diff = abc1_TS2 - TS1

If these two files are unrelated, you can just use appendcols. Otherwise you should use join [common field]

Re: How to calculate the difference between two fields from different files?

victorrosberg — Tue, 25 Aug 2015 06:56:06 GMT

It's possible that the above version works for you in this case but here's how I'd solve it(assuming in this case that it's the same sourcetype as both sources had the same specific fields):

index="A" sourcetype="B" source="ABC" | eval R1 = TS1| join sourcetype [search index="X" sourcetype="B" source="ABC1" | eval R2 = TS2 | fields - R2] | eval diff(R2-R1) = R2-R1 | table diff(R2-R1), R1, R2

If you want just the latest event from each source you could add a dedup command like this:

    index="A" sourcetype="B" source="ABC" | dedup source | eval R1 = TS1| join sourcetype [search index="X" sourcetype="B" source="ABC1" | eval R2 = TS2 | fields - R2] | eval diff(R2-R1) = R2-R1 | table diff(R2-R1), R1, R2

Perhaps not the most beautiful way to do it but I find it clear. Will not work well in real time.

Hope this helps,
Victor

Re: How to calculate the difference between two fields from different files?

loureni1 — Tue, 20 Mar 2018 13:43:02 GMT

Thanks..this query was helpfull

Re: How to calculate the difference between two fields from different files?

skoelpin — Tue, 20 Mar 2018 15:01:25 GMT

Feel free to upvote if this helped!