Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I use the difference between multiple field values to create a new field in Splunk?

russell120
Communicator
‎10-15-2018 10:38 AM

I have an example lookup file below:

Week           Site_Visits                   
Week1Oct          500
Week2Oct          1300
Week3Oct          400
Week4Oct          2100
Week1Sep          1400

How do I create a new field to show the differences between each Site_Visit value against the first one ( 500)? Each week I will be adding a new row of data, so it should be scalable. It should look like this:

Week           Site_Visits         Progress           
Week1Oct          500                 0     
Week2Oct         1300                800 
Week3Oct          400               -100
Week4Oct         2100               1700
Week1Sep         1400               1100
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎10-15-2018 10:55 AM

Hi @russell120,
try this :-

|eventstats first(Site_Visits) as first|eval progress=Site_Visits-first|fields - first

try this run anywhere example as per your sample data-

| makeresults |eval week="Week1Oct", Site_Visits =500
|append[| makeresults |eval week="Week2Oct", Site_Visits =1300]
|append[| makeresults |eval week="Week3Oct", Site_Visits =400]
|append[| makeresults |eval week="Week4Oct", Site_Visits =2100]
|append[| makeresults |eval week="Week5Oct", Site_Visits =1400]
|eventstats first(Site_Visits) as first|eval progress=Site_Visits-first|fields - first

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-15-2018 11:44 AM

You would use Splunk delta command for this. Read this for more information
http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Delta

Usage:

your current search with fields Week and Site_Visits
| delta Site_Visits as Progress
0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-15-2018 12:21 PM

|delta Site_Visits as Progress returned the difference between each Site_Visits value and the Site_Visits value before directly before it. It did not return the difference between each Site_Visits value and the very first Site_Visits values, which in this case is 500. I need a field that returns 1300-500, 400-500, 2100-500, etc.

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎10-15-2018 10:55 AM

Hi @russell120,
try this :-

|eventstats first(Site_Visits) as first|eval progress=Site_Visits-first|fields - first

try this run anywhere example as per your sample data-

| makeresults |eval week="Week1Oct", Site_Visits =500
|append[| makeresults |eval week="Week2Oct", Site_Visits =1300]
|append[| makeresults |eval week="Week3Oct", Site_Visits =400]
|append[| makeresults |eval week="Week4Oct", Site_Visits =2100]
|append[| makeresults |eval week="Week5Oct", Site_Visits =1400]
|eventstats first(Site_Visits) as first|eval progress=Site_Visits-first|fields - first
0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-22-2018 10:33 AM

EDIT: |eventstats first(Site_Visits) as first|eval progress=Site_Visits-first|fields - first

This is the line that made it work. Thanks!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎10-16-2018 06:37 AM

@russell120 , did you try this? are you getting expected output?

0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-16-2018 09:36 AM

@493669 I did, and I don't think its compatible with my query. My query is here: https://answers.splunk.com/answers/692485/how-to-populate-a-new-field-with-the-differences-o.html

It creates a table that looks the same as my question above but with different field names.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...