Solved: Add a column that is the difference of the first t...

Username1 · ‎07-22-2020

So suppose that everyday Splunk takes in a report that houses 9 different fields, one of which is called 'status'. Status has the option of being 'New', 'Closed', or 'Open'. I'm trying to show a time-chart that shows the count per day of reports that have 'Closed' and 'New' status , along with the difference of the two (everyday). So a file with report_date '2020-07-23' is ingested in Splunk and shows we had 5 'New' reports, 7 'Closed' Reports, so the difference should be 2 for that day. How do I go about doing this in my search query?

index=blah... | timechart count(report_date) by status| fields - OPEN

This is where I'm stuck, how do I get the difference of only NEW and CLOSED included into my graph. Thanks in advance

richgalloway · ‎07-22-2020

This should do it.

index=blah... | timechart count(report_date) by status
| fields - OPEN
| eval diff=abs(New - Closed)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-22-2020

This should do it.

index=blah... | timechart count(report_date) by status
| fields - OPEN
| eval diff=abs(New - Closed)

---
If this reply helps you, Karma would be appreciated.

Username1 · ‎07-22-2020

That worked perfectly. Thank you!

Add a column that is the difference of the first two columns.

chart

fields

stats

table

timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?