https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30367#M6142 <P>Is there some kind of grouping field that Splunk can use to match two lines together?</P> Fri, 09 Aug 2013 10:10:48 GMT martin_mueller 2013-08-09T10:10:48Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30366#M6141 <P>Hi, I've got 2 log lines which look similar to this:</P> <PRE><CODE>Thu Aug 08 16:45:01 2013 | Field1 : 25 Thu Aug 08 16:45:01 2013 | Field2 : 30 </CODE></PRE> <P>Does anyone know how to find Field3 which is (Field2-Field1)</P> <P>I've tried: <BR /> | eval Field3=Field2-Field1 |</P> <P>But because they're not from the same log line, Field3 is always null.<BR /> Any advice is appreciated!</P> Fri, 09 Aug 2013 10:07:40 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30366#M6141 606866581 2013-08-09T10:07:40Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30367#M6142 <P>Is there some kind of grouping field that Splunk can use to match two lines together?</P> Fri, 09 Aug 2013 10:10:48 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30367#M6142 martin_mueller 2013-08-09T10:10:48Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30368#M6143 <P>unfortunately these logs are pretty bare, they're not much longer than the example above ^</P> Fri, 09 Aug 2013 10:13:43 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30368#M6143 606866581 2013-08-09T10:13:43Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30369#M6144 <P>Are they reliably group-able by timestamp? If not, how should Splunk guess which two lines to match up?</P> Fri, 09 Aug 2013 10:15:28 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30369#M6144 martin_mueller 2013-08-09T10:15:28Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30370#M6145 <P>Actually yes, the timestamp is guaranteed to be exactly the same</P> Fri, 09 Aug 2013 10:16:48 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30370#M6145 606866581 2013-08-09T10:16:48Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30371#M6146 <P>Assuming the two events have the same timestamp and no other events with that timestamp exist, you can do this:</P> <PRE><CODE>... | eventstats first(Field1) as f1 first(Field2) as f2 by _time | eval f3 = f2 - f1 </CODE></PRE> Fri, 09 Aug 2013 10:19:43 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30371#M6146 martin_mueller 2013-08-09T10:19:43Z https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30372#M6147 <P>Worked perfectly, Thanks!</P> Fri, 09 Aug 2013 10:28:12 GMT https://community.splunk.com/t5/Splunk-Search/Calculations-on-2-different-fields-from-2-separate-logs-newbie/m-p/30372#M6147 606866581 2013-08-09T10:28:12Z