Reporting

How to subtract multivalues to a single value?

andres91302
Communicator

Hello everyone,

 

I have been bumping my head trying to subtract a list of values from a single value after I use the stats command.

 

I have something like this:

 

| stats values(TIME_ALERT) as "TIME ALERT" values(TIME_FRAUD) as "TIME FRAUD" by ID

 

TIME ALERTTIME FRAUDID

1647854522
1647854525
1647854529

1658452541UYU_UIS007

 

But what I want is something like this:

TIME ALERTDIFFTIME FRAUDID

1647854522
1647854525
1647854529

-10598019
-10598016
-10598012
1658452541UYU_UIS007

which is doing DIFF= TIME ALERT - TIME FRAUD, knowing that TIME FRAUD will always be a single value... thank you so much guys for your help

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use mvmap

| makeresults
| eval _raw="1647854522,1647854525,1647854529|1658452541|UYU_UIS007"
| eval alert=mvindex(split(_raw,"|"),0)
| eval fraud=mvindex(split(_raw,"|"),1)
| eval id=mvindex(split(_raw,"|"),2)
| eval alert=split(alert,",")
| fields alert,fraud,id
| fields - _*


| eval diff=mvmap(alert,alert-fraud)
0 Karma

andres91302
Communicator

hey @ITWhisperer  that was awesome thank you I dindt know that function was so usaful thank you so much my friend! Could you please let me know how would I choose from the diff field whihc is the smallest positive number? 

I am trying by addig

 

| where diff>0
| eval spn=min(diff)

 

but it is not working for me Thank you so much for your help man!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| where diff>0
| sort 1 diff
0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...