Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After grouping data, how to find the difference between each "num" field value pair per row in a table?

kyotosaw
New Member
‎01-29-2015 07:41 PM

I have a query that returns a stats table with all the data I care about, but there's a calculation I'd like to add to this presentation, and I can't seem to figure out how to get it. My stats table looks like this:

group   num
----    ----
a       10
        20
------------
b       10
        20
------------
c       20
        35
        5
        7
------------
d       8
        16

I'd like to get the difference of the num field between each pair of rows so I don't have to calculate it manually, while still having the full context of each line. So I want something that looks like this:

group   num     diff
----    ----    ----
a       10
        20      10
--------------------
b       10
        20      10
--------------------
c       20
        35      15
        5
        7       2
--------------------
d       8
        16      8

I thought I could just pipe everything through the delta command on the num field, even if instead of empty values where I want for the diff field it naively diffed the row above, but that didn't work. Do I need to transform the stats table into a regular table with the 'group' values repeating, or is it something else?

Tags (4)
0 Karma
Reply

cpride_splunk
Splunk Employee
Splunk Employee
‎01-30-2015 01:43 PM

So hopefully this gets you close... The simplest search to do this based on your tables above would be:

<search> | filldown group | streamstats current=f  last(num) as prev by group | eval diff=num - prev | fields -  prev | fields group num diff

If you are trying to limit strictly to pairwise you can adjust the search to this:

<search> | filldown group | streamstats current=f count last(num) as prev by group | eval diff=if(count%2==1,num - prev, "") | fields - count prev | fields group num diff

And if polluting the group field with filldown is a problem you can always do:

<search> | eval statsgroup = group | filldown statsgroup | streamstats current=f count last(num) as prev by statsgroup | eval diff=if(count%2==1,num - prev, "") | fields - count prev statsgroup | fields group num diff
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-30-2015 02:13 PM

It seems there is only one row per group, so filldown would need to be replaced with mvexpand num to enable streamstats.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-29-2015 11:07 PM

Is that one row per group value with multi-value nums, or one row per num value?

0 Karma
Reply

kyotosaw
New Member
‎01-30-2015 10:21 AM

It's one row per group value, but the sizes of the groups can vary (and are always multiples of 2).

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...