Re: How to subtract multivalues to a single value?

andres91302 · ‎06-21-2021

Hello everyone,

I have been bumping my head trying to subtract a list of values from a single value after I use the stats command.

I have something like this:

| stats values(TIME_ALERT) as "TIME ALERT" values(TIME_FRAUD) as "TIME FRAUD" by ID

TIME ALERT	TIME FRAUD	ID
1647854522 1647854525 1647854529	1658452541	UYU_UIS007

But what I want is something like this:

TIME ALERT	DIFF	TIME FRAUD	ID
1647854522 1647854525 1647854529	-10598019 -10598016 -10598012	1658452541	UYU_UIS007

which is doing DIFF= TIME ALERT - TIME FRAUD, knowing that TIME FRAUD will always be a single value... thank you so much guys for your help

ITWhisperer · ‎06-21-2021

Use mvmap

| makeresults
| eval _raw="1647854522,1647854525,1647854529|1658452541|UYU_UIS007"
| eval alert=mvindex(split(_raw,"|"),0)
| eval fraud=mvindex(split(_raw,"|"),1)
| eval id=mvindex(split(_raw,"|"),2)
| eval alert=split(alert,",")
| fields alert,fraud,id
| fields - _*


| eval diff=mvmap(alert,alert-fraud)

andres91302 · ‎06-21-2021

hey @ITWhisperer that was awesome thank you I dindt know that function was so usaful thank you so much my friend! Could you please let me know how would I choose from the diff field whihc is the smallest positive number?

I am trying by addig

| where diff>0
| eval spn=min(diff)

but it is not working for me Thank you so much for your help man!

ITWhisperer · ‎06-21-2021

| where diff>0
| sort 1 diff

How to subtract multivalues to a single value?

summary indexing

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?