I have been bumping my head trying to subtract a list of values from a single value after I use the stats command.
I have something like this:
| stats values(TIME_ALERT) as "TIME ALERT" values(TIME_FRAUD) as "TIME FRAUD" by ID
|TIME ALERT||TIME FRAUD||ID|
But what I want is something like this:
|TIME ALERT||DIFF||TIME FRAUD||ID|
which is doing DIFF= TIME ALERT - TIME FRAUD, knowing that TIME FRAUD will always be a single value... thank you so much guys for your help
| makeresults | eval _raw="1647854522,1647854525,1647854529|1658452541|UYU_UIS007" | eval alert=mvindex(split(_raw,"|"),0) | eval fraud=mvindex(split(_raw,"|"),1) | eval id=mvindex(split(_raw,"|"),2) | eval alert=split(alert,",") | fields alert,fraud,id | fields - _* | eval diff=mvmap(alert,alert-fraud)
hey @ITWhisperer that was awesome thank you I dindt know that function was so usaful thank you so much my friend! Could you please let me know how would I choose from the diff field whihc is the smallest positive number?
I am trying by addig
| where diff>0 | eval spn=min(diff)
but it is not working for me Thank you so much for your help man!