Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Arithmetic operation on fields from different events

sstanlee
Explorer
‎08-17-2020 10:13 AM

Consider the below types of events

fields  :     OS         transaction      numbers

Events:     Win        purchased           150

                   Unix       purchased           200

                   Win        sold                         100

                   Unix       sold                         125

I want the results to be:

 

OS      InHand(purchased-sold)

Win      50

Unix     75

 

How to do this?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 12:07 PM 
| makeresults | eval _raw="OS,transaction,numbers
Win,purchased,150
Unix,purchased,200
Win,sold,100
Unix,sold,125"
| multikv forceheader=1
| xyseries OS transaction numbers
| eval InHand=purchased-sold
| table OS InHand

 

upvote if my answer solves your problem.

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 12:07 PM 
| makeresults | eval _raw="OS,transaction,numbers
Win,purchased,150
Unix,purchased,200
Win,sold,100
Unix,sold,125"
| multikv forceheader=1
| xyseries OS transaction numbers
| eval InHand=purchased-sold
| table OS InHand

 

upvote if my answer solves your problem.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

sstanlee
Explorer
‎08-17-2020 12:49 PM

I didn't get the results.  

<Index Search>| 

in verbose mode returns 

1. OS=Win Category=purchased Numbers=100

2. OS=Unix Category=purchased Numbers= 200

3. OS=Win Category=sold Number=50

4. OS=Unix Category=sold Number=125

My search scenario is, if OS is Windows, I want to calculate the remaining count which is purchased - sold. How to do this.

 

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 01:02 PM

I have shared query for the values you posted. I tried before posting and its working 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

sstanlee
Explorer
‎08-18-2020 09:30 AM

I had more than 100 lines of data, but I quoted few as example.Initially it didnt work. I modified few of your code and it worked.  Thanks a lot. 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-17-2020 02:47 PM 
index=_internal | head 1
| fields _raw _time
| eval _raw="1. OS=Win Category=purchased Numbers=100
2. OS=Unix Category=purchased Numbers=200
3. OS=Win Category=sold Number=50
4. OS=Unix Category=sold Number=125"
| multikv noheader=t
| fields _raw _time
| kv
| rename COMMENT as "this is your sample"

| eval Numbers=coalesce(Numbers,-1 * Number)
| stats sum(Numbers) as "InHand(purchased-sold)" by OS
Reply
Solved! Jump to solution

sstanlee
Explorer
‎08-18-2020 09:31 AM

It worked. Thanks a lot.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...