Re: get difference of 3rd and 2nd row - Splunk Community

Reporting

Hi,

I was trying to get the difference of 2nd and 3rd row and display it as 4th status value, below is my search

index = prod_e2 sourcetype=prod_csv type="n"
| dedup order
| stats count
| eval status = "first"
| append [search index=prod_e2 sourcetype=prod_csv type="n" and desc="2"
|dedup order
|stats count
| eval status="submit"
|table status count]
| append [search (index= prod_e2 sourcetype=prod_csv type="n" and stat_desc="2" and order_num !="0" ) or
(index = prod_e2 sourcetype=prod_csv)
| dedup order
| stats count
| eval status = "created"
| table status count]

I was able to get it as

status count
first 20
submit 10
created 50

but I want it as

status count
first 20
submit 10
created 50
difference 40

| transpose 0
| eval "row 4"='row 3'-'row 2'
| eval "row 4"=if(isnull('row 4'),"difference",'row 4')
| transpose 0 header_field=column
| fields status count

Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...