https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222757#M65507 <P>Is it possible that there is a single event which contain two fields, each with multiple values? In this scenario, the fields are the equivalent of arrays which hold a list of values and lists cannot be added together. Simply put: the operation needs to use a single value against a single value at a time.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2130i65A4E7F6757789F9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Do you notice the <CODE>eval</CODE> statement at the end of the search?</P> <P>If this were the case, it will be necessary to break down the multi-value fields using some transformation commands. For the example above, the following works.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2131iED516E83AA2B9987/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As other Splunkers point out above, it will be important to understand how the data is being presented. From there, the transformation can happen in number of ways. This is just an example based on intuituion... but it may not reflect your reality.</P> <P>I hope this helps,</P> <P>-gc</P> Tue, 08 Nov 2016 05:56:43 GMT Gilberto_Castil 2016-11-08T05:56:43Z https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222753#M65503 <P>Hi all.</P> <P>I have a <CODE>FIELDX</CODE> with values like:</P> <PRE><CODE>VALUE1 200 VALUE2 120 VALUE3 156 </CODE></PRE> <P>Also, I have another field <CODE>FIELDY</CODE>, values:</P> <PRE><CODE>VALUE1 120 VALUE2 76 VALUE3 54 </CODE></PRE> <P>I want to show in a table a new field showing the difference between <CODE>FIELDX</CODE> and <CODE>FIELDY</CODE> per VALUE. I mean:</P> <PRE><CODE>FIELDZ VALUE1 80 VALUE2 44 VALUE3 102 </CODE></PRE> <P>I tried with a simple <CODE>... | eval FIELDZ=FIELDX-FIELDY</CODE>, but that didn't work.</P> <P>How I can do this?</P> <P>Thanks!</P> Tue, 08 Nov 2016 02:01:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222753#M65503 changux 2016-11-08T02:01:34Z https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222754#M65504 <P>What is the format of the event? JSON? Posting the event might be helpful!</P> Tue, 08 Nov 2016 03:57:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222754#M65504 jagadeeshm 2016-11-08T03:57:04Z https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222755#M65505 <P>Ive never done it, but you may try <BR /> |eval fieldx=(fieldX - fieldy)<BR /> I know you tried something similar, but I recall that functions usually need to be enclosed to work.</P> Tue, 08 Nov 2016 05:10:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222755#M65505 JDukeSplunk 2016-11-08T05:10:17Z https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222756#M65506 <P>Ideally based on the example the above should work. Have you tried printing table FIELDX FIELDY FIELDZ? Are the two fields FIELDX &amp; FIELDY numeric?<BR /> Please provide Splunk search query and sample FIELDX and FIELDY.</P> Tue, 08 Nov 2016 05:18:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222756#M65506 niketn 2016-11-08T05:18:16Z https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222757#M65507 <P>Is it possible that there is a single event which contain two fields, each with multiple values? In this scenario, the fields are the equivalent of arrays which hold a list of values and lists cannot be added together. Simply put: the operation needs to use a single value against a single value at a time.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2130i65A4E7F6757789F9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Do you notice the <CODE>eval</CODE> statement at the end of the search?</P> <P>If this were the case, it will be necessary to break down the multi-value fields using some transformation commands. For the example above, the following works.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2131iED516E83AA2B9987/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As other Splunkers point out above, it will be important to understand how the data is being presented. From there, the transformation can happen in number of ways. This is just an example based on intuituion... but it may not reflect your reality.</P> <P>I hope this helps,</P> <P>-gc</P> Tue, 08 Nov 2016 05:56:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-substract-values-from-two-different-fields-in-a-search/m-p/222757#M65507 Gilberto_Castil 2016-11-08T05:56:43Z