Splunk Search

How to deduct two sums

highriser666
New Member

I am trying to sum 2 Fields of a search and then deduct the one from the other:

my idea is not working:

| stats sum( eval (stats sum(Field1)) - (stats( sum(Field2)) ) AS difference12

0 Karma

fdi01
Motivator

or you can try like :

...| timechart eval(sum(Field1)- sum(Field2)) as difference12

0 Karma

MuS
SplunkTrust
SplunkTrust

this will not work, because sum() is not an eval function, but the other way around it will work (run everywhere example):

 index=_internal | timechart sum(eval(kb-kbps)) AS diff

But I doubt this will be the correct result, because it will not calculate the total difference. On the other hand the use case is not 100% clear so maybe it could work 😉

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

How about:

| stats sum(Field1) as Sum1, sum(Field2) as Sum2 | eval difference12 = Sum1-Sum2
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi highriser666,

take this run everywhere command as example:

 index=_internal | stats sum(kb) AS KB sum(kbps) AS KBPS | eval diff=KB-KBPS

You frist have to sum() your fields (here it is kb and kbps) and then evaluate the difference.

Hope this helps ...

cheers, MuS

0 Karma

highriser666
New Member

Thank you,

I tried is already before getting mad with the other term.

When I do as you suggest the stats it gives me always only the sums for field1 and field2.

"Difference12" is not shown as the expected single value in the stats-tab of the results even though it should be the
singular result of the term.

Stats always only shows field1 and field2.

Currently Field2 is all time NULL could that cause an issue?

0 Karma

MuS
SplunkTrust
SplunkTrust

either do as @somesoni2 suggests or provide some sample events and your complete search. Makes it easier to help 😉

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, if the value of a field is always NULL, the stats will return NULL for the Field2 and subsequent diff will also be NULL.

Try something like this

Your base search  | stats sum(Field1) AS Field1 sum(Field2) AS Field2  | fillnull value=0 Field2 | eval Difference12 =Field1 -Field1 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...