Hello Guys,
I have columns like column1, coulmn2, column3... and I want output as column1, column2=column2-column1, column3=column3-column2, col4=col4-col3...
Is there any way to write search query for this?
Thanks in advance.
Hello All,
Thanks for your answers, but the columns number is more. I cannot do colY=colY-colX every time, is there any better solution?
I have around 20-30 rows as output and other than columns col1,col2,col3.. I have another one column which I am using in my by clause of search query
How many rows do you get? Do you have other columns as well other than columnNs where N=1,2,3...?
use the eval command / function ... | eval newColumn = columnX - columnY more on this topic here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Hi, you can thy this:
index=xpto source=abc | eval column2a = column2 - column1, column3a = column3 - column2 | table column2a, column3a
