Splunk Search

After grouping data, how to find the difference between each "num" field value pair per row in a table?

kyotosaw
New Member

I have a query that returns a stats table with all the data I care about, but there's a calculation I'd like to add to this presentation, and I can't seem to figure out how to get it. My stats table looks like this:

group   num
----    ----
a       10
        20
------------
b       10
        20
------------
c       20
        35
        5
        7
------------
d       8
        16

I'd like to get the difference of the num field between each pair of rows so I don't have to calculate it manually, while still having the full context of each line. So I want something that looks like this:

group   num     diff
----    ----    ----
a       10
        20      10
--------------------
b       10
        20      10
--------------------
c       20
        35      15
        5
        7       2
--------------------
d       8
        16      8

I thought I could just pipe everything through the delta command on the num field, even if instead of empty values where I want for the diff field it naively diffed the row above, but that didn't work. Do I need to transform the stats table into a regular table with the 'group' values repeating, or is it something else?

Tags (4)
0 Karma

cpride_splunk
Splunk Employee
Splunk Employee

So hopefully this gets you close... The simplest search to do this based on your tables above would be:

<search> | filldown group | streamstats current=f  last(num) as prev by group | eval diff=num - prev | fields -  prev | fields group num diff

If you are trying to limit strictly to pairwise you can adjust the search to this:

<search> | filldown group | streamstats current=f count last(num) as prev by group | eval diff=if(count%2==1,num - prev, "") | fields - count prev | fields group num diff

And if polluting the group field with filldown is a problem you can always do:

<search> | eval statsgroup = group | filldown statsgroup | streamstats current=f count last(num) as prev by statsgroup | eval diff=if(count%2==1,num - prev, "") | fields - count prev statsgroup | fields group num diff

martin_mueller
SplunkTrust
SplunkTrust

It seems there is only one row per group, so filldown would need to be replaced with mvexpand num to enable streamstats.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Is that one row per group value with multi-value nums, or one row per num value?

0 Karma

kyotosaw
New Member

It's one row per group value, but the sizes of the groups can vary (and are always multiples of 2).

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...