Reporting

get difference of 3rd and 2nd row

raghu0463
Explorer

Hi, 

I was trying to get the difference of 2nd and 3rd row and display it as 4th status value, below is my search 


index = prod_e2 sourcetype=prod_csv type="n"
| dedup order
| stats count
| eval status = "first"
| append [search index=prod_e2 sourcetype=prod_csv type="n" and desc="2"
|dedup order
|stats count
| eval status="submit"
|table status count]
| append [search (index= prod_e2 sourcetype=prod_csv type="n" and stat_desc="2" and order_num !="0" ) or
(index = prod_e2 sourcetype=prod_csv)
| dedup order
| stats count
| eval status = "created"
| table status count]


I was able to get it as 


status        count
first              20
submit        10
created       50


but I want it as 

status                    count
first                           20
submit                     10
created                    50
difference               40

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| transpose 0
| eval "row 4"='row 3'-'row 2'
| eval "row 4"=if(isnull('row 4'),"difference",'row 4')
| transpose 0 header_field=column
| fields status count
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...