Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the difference in count of last two columns where the columns will increase dynamically

Keerthana_18
Explorer
‎10-25-2021 08:55 AM

Hi Everyone,

I am new to Splunk. Could someone help me and provide the search for the below query: That would be Great!!

I have a search which gives below results by doing comparison of last week and current week and it shows the count of each status in weekly manner.

DateActiveInactiveDeletedAdded
09/10/215020520

 

I will be sending the above result to lookup file every week data to provide the summary.(| outputlookup append=true summary.csv)

The lookup file looks like below after 3 weeks.

DateActiveInactiveDeletedAdded
09/10/20215020520
16/10/202155151030
23/10/20216010815

 

Date column keeps on growing dynamically each week,  always I need to  calculate difference between last two column and create new column to tell the difference. The result am expecting is below. 

 

Status09/10/202116/10/202123/10/2021Difference b/w last 2 columns
Active5055605
Inactive201510-5
Deleted5108-2
Added203015-15
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2021 01:52 AM

The part before the blank lines sets up dummy data and would be replaced by your search/inputlookup

The process is to list the values from the previous and current line, then remove the additional values for all but the last line. Then mvexpand the last line, resetting the first copy to its original state. Now the last line has both values (note the addition of the "-" for the second value), which can then be summed. Finally, transpose to get the layout required.

Note the use of leading underscores in some of the field names to hide them from the foreach.

| makeresults
| eval _raw="Date	Active	Inactive	Deleted	Added
09/10/2021	50	20	5	20
16/10/2021	55	15	10	30
23/10/2021	60	10	8	15"
| multikv forceheader=1
| table Date	Active	Inactive	Deleted	Added



| streamstats list(*) as * window=2
| streamstats count as _row
| eventstats max(_row) as _last
| foreach *
    [| eval <<FIELD>>=if(_row=_last,mvappend(mvindex('<<FIELD>>',1),"-".mvindex('<<FIELD>>',0)),if(mvcount('<<FIELD>>')>1,mvindex('<<FIELD>>',1),'<<FIELD>>'))]
| mvexpand Date
| streamstats count as _copy by _row
| eval Date=if(_copy=2,"Difference",Date)
| rename Date as _Date
| foreach *
    [| eval <<FIELD>>=if(mvcount=1,<<FIELD>>,if(_copy=1,mvindex(<<FIELD>>,0),<<FIELD>>))]
| eventstats sum(*) as * by _row _copy
| rename _Date as Date
| fields - _*
| transpose 0 header_field=Date column_name=Status

 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2021 01:52 AM

The part before the blank lines sets up dummy data and would be replaced by your search/inputlookup

The process is to list the values from the previous and current line, then remove the additional values for all but the last line. Then mvexpand the last line, resetting the first copy to its original state. Now the last line has both values (note the addition of the "-" for the second value), which can then be summed. Finally, transpose to get the layout required.

Note the use of leading underscores in some of the field names to hide them from the foreach.

| makeresults
| eval _raw="Date	Active	Inactive	Deleted	Added
09/10/2021	50	20	5	20
16/10/2021	55	15	10	30
23/10/2021	60	10	8	15"
| multikv forceheader=1
| table Date	Active	Inactive	Deleted	Added



| streamstats list(*) as * window=2
| streamstats count as _row
| eventstats max(_row) as _last
| foreach *
    [| eval <<FIELD>>=if(_row=_last,mvappend(mvindex('<<FIELD>>',1),"-".mvindex('<<FIELD>>',0)),if(mvcount('<<FIELD>>')>1,mvindex('<<FIELD>>',1),'<<FIELD>>'))]
| mvexpand Date
| streamstats count as _copy by _row
| eval Date=if(_copy=2,"Difference",Date)
| rename Date as _Date
| foreach *
    [| eval <<FIELD>>=if(mvcount=1,<<FIELD>>,if(_copy=1,mvindex(<<FIELD>>,0),<<FIELD>>))]
| eventstats sum(*) as * by _row _copy
| rename _Date as Date
| fields - _*
| transpose 0 header_field=Date column_name=Status

 

Reply
Solved! Jump to solution

Keerthana_18
Explorer
‎10-26-2021 02:33 AM

Thanky @ITWhisperer .

Great! Awesome, it worked as excepted.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2021 09:39 AM

I don't understand - the second table is teansposed versus the first one. So what exactly do you want?

0 Karma
Reply
Solved! Jump to solution

Keerthana_18
Explorer
‎10-25-2021 11:21 PM

Hello,

 

From the lookup file i need to do transpose then I want to find the difference of last column(last 2 weeks) in new column called Difference.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...