get difference of 3rd and 2nd row - Splunk Community

Reporting

Hi,

I was trying to get the difference of 2nd and 3rd row and display it as 4th status value, below is my search

index = prod_e2 sourcetype=prod_csv type="n"
| dedup order
| stats count
| eval status = "first"
| append [search index=prod_e2 sourcetype=prod_csv type="n" and desc="2"
|dedup order
|stats count
| eval status="submit"
|table status count]
| append [search (index= prod_e2 sourcetype=prod_csv type="n" and stat_desc="2" and order_num !="0" ) or
(index = prod_e2 sourcetype=prod_csv)
| dedup order
| stats count
| eval status = "created"
| table status count]

I was able to get it as

status count
first 20
submit 10
created 50

but I want it as

status count
first 20
submit 10
created 50
difference 40

| transpose 0
| eval "row 4"='row 3'-'row 2'
| eval "row 4"=if(isnull('row 4'),"difference",'row 4')
| transpose 0 header_field=column
| fields status count

Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...