get difference of 3rd and 2nd row - Splunk Community

Reporting

Hi,

I was trying to get the difference of 2nd and 3rd row and display it as 4th status value, below is my search

index = prod_e2 sourcetype=prod_csv type="n"
| dedup order
| stats count
| eval status = "first"
| append [search index=prod_e2 sourcetype=prod_csv type="n" and desc="2"
|dedup order
|stats count
| eval status="submit"
|table status count]
| append [search (index= prod_e2 sourcetype=prod_csv type="n" and stat_desc="2" and order_num !="0" ) or
(index = prod_e2 sourcetype=prod_csv)
| dedup order
| stats count
| eval status = "created"
| table status count]

I was able to get it as

status count
first 20
submit 10
created 50

but I want it as

status count
first 20
submit 10
created 50
difference 40

| transpose 0
| eval "row 4"='row 3'-'row 2'
| eval "row 4"=if(isnull('row 4'),"difference",'row 4')
| transpose 0 header_field=column
| fields status count

Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...