Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After grouping data, how to find the difference between each "num" field value pair per row in a table?

kyotosaw
New Member
‎01-29-2015 07:41 PM

I have a query that returns a stats table with all the data I care about, but there's a calculation I'd like to add to this presentation, and I can't seem to figure out how to get it. My stats table looks like this:

group   num
----    ----
a       10
        20
------------
b       10
        20
------------
c       20
        35
        5
        7
------------
d       8
        16

I'd like to get the difference of the num field between each pair of rows so I don't have to calculate it manually, while still having the full context of each line. So I want something that looks like this:

group   num     diff
----    ----    ----
a       10
        20      10
--------------------
b       10
        20      10
--------------------
c       20
        35      15
        5
        7       2
--------------------
d       8
        16      8

I thought I could just pipe everything through the delta command on the num field, even if instead of empty values where I want for the diff field it naively diffed the row above, but that didn't work. Do I need to transform the stats table into a regular table with the 'group' values repeating, or is it something else?

Tags (4)
0 Karma
Reply

cpride_splunk
Splunk Employee
Splunk Employee
‎01-30-2015 01:43 PM

So hopefully this gets you close... The simplest search to do this based on your tables above would be:

<search> | filldown group | streamstats current=f  last(num) as prev by group | eval diff=num - prev | fields -  prev | fields group num diff

If you are trying to limit strictly to pairwise you can adjust the search to this:

<search> | filldown group | streamstats current=f count last(num) as prev by group | eval diff=if(count%2==1,num - prev, "") | fields - count prev | fields group num diff

And if polluting the group field with filldown is a problem you can always do:

<search> | eval statsgroup = group | filldown statsgroup | streamstats current=f count last(num) as prev by statsgroup | eval diff=if(count%2==1,num - prev, "") | fields - count prev statsgroup | fields group num diff
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-30-2015 02:13 PM

It seems there is only one row per group, so filldown would need to be replaced with mvexpand num to enable streamstats.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-29-2015 11:07 PM

Is that one row per group value with multi-value nums, or one row per num value?

0 Karma
Reply

kyotosaw
New Member
‎01-30-2015 10:21 AM

It's one row per group value, but the sizes of the groups can vary (and are always multiples of 2).

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...