https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238416#M70820 <P>tks,</P> <P>that gives me </P> <PRE><CODE>_time a b 1 2016-03-14 09:49:32 2 1 2 2016-03-14 09:49:32 3 2 3 2016-03-14 09:49:32 1.500000 2 </CODE></PRE> <P>but how do I control the 3rd row value for _time to be <CODE>something else</CODE> as opposed to <CODE>2016-03-14 09:49:32</CODE>? </P> <P>I could use <A href="https://answers.splunk.com/answers/378906/can-i-change-the-values-of-a-specific-column-given.html">this</A> but I don't think the approach would work, unless know the values of b and c in row 3.</P> Sun, 13 Mar 2016 20:54:20 GMT HattrickNZ 2016-03-13T20:54:20Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238414#M70818 <P>I have a search giving me a table with row 1 and 2 below: </P> <PRE><CODE> _time A B C D 1 2015-02 1 3 5 7 2 2016-02 2 4 6 8 3 diff 2/1 4/3 6/5 8/7 </CODE></PRE> <P>I want to add row 3 giving me a value e.g 2/1=2 ... etc </P> <P>How do I achieve this? </P> <P>I know I can use <A href="https://answers.splunk.com/answers/368616/how-to-add-a-table-column-that-does-operations-in.html">delta</A> if I was to add a column getting the differences but here I want to add a row with the difference in the column.<BR /><BR /> I thought appendpipe could be an option here but I think that just just works for getting max, min, sum....etc</P> Wed, 09 Mar 2016 02:40:50 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238414#M70818 HattrickNZ 2016-03-09T02:40:50Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238415#M70819 <P>This seems clumsy, but it works (the first line just sets up data to make this run anywhere).</P> <PRE><CODE>| makeresults count=2 | streamstats count as a | eval a=a+1 | streamstats count as b | appendpipe [ streamstats window=1 current=f last(b) as last_b last(a) as last_a | tail 1 | eval b=b/last_b | eval a=a/last_a | fields - last*] </CODE></PRE> Wed, 09 Mar 2016 08:48:34 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238415#M70819 jeffland 2016-03-09T08:48:34Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238416#M70820 <P>tks,</P> <P>that gives me </P> <PRE><CODE>_time a b 1 2016-03-14 09:49:32 2 1 2 2016-03-14 09:49:32 3 2 3 2016-03-14 09:49:32 1.500000 2 </CODE></PRE> <P>but how do I control the 3rd row value for _time to be <CODE>something else</CODE> as opposed to <CODE>2016-03-14 09:49:32</CODE>? </P> <P>I could use <A href="https://answers.splunk.com/answers/378906/can-i-change-the-values-of-a-specific-column-given.html">this</A> but I don't think the approach would work, unless know the values of b and c in row 3.</P> Sun, 13 Mar 2016 20:54:20 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238416#M70820 HattrickNZ 2016-03-13T20:54:20Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238417#M70821 <P>You can either use <CODE>| streamstats count | eval _time=if(count=="3", "something else", _time)</CODE> for that if that's all you need.</P> Wed, 16 Mar 2016 19:16:45 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238417#M70821 jeffland 2016-03-16T19:16:45Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238418#M70822 <P>tks but I got this to work by simply doing <CODE>eval _time="something else" |</CODE></P> Wed, 16 Mar 2016 21:52:16 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238418#M70822 HattrickNZ 2016-03-16T21:52:16Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238419#M70823 <P>That will change every line, but I'm glad it works for you.</P> Fri, 18 Mar 2016 08:44:18 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238419#M70823 jeffland 2016-03-18T08:44:18Z https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238420#M70824 <P>tks but that did not matter, full example for reference. <CODE>| makeresults count=2 | streamstats count as A | eval A=A+1 | streamstats count as b | eval b=b+10 | streamstats count as c | eval c=c+11 | appendpipe [ streamstats window=1 current=f last(b) as last_b last(a) as last_a last(c) as last_c | tail 1 | eval b=b/last_b | eval a=a/last_a | eval c=c/last_c | eval _time="something else" | fields - last*]</CODE></P> Sun, 20 Mar 2016 18:35:34 GMT https://community.splunk.com/t5/Splunk-Search/adding-appending-a-row-to-get-differences-between-cells-above/m-p/238420#M70824 HattrickNZ 2016-03-20T18:35:34Z