Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Diff and % calculation 1st row vs 2nd row

puneethgowda
Communicator
‎11-17-2016 09:13 PM

alt text

source=DAM_DB_SUMMARY_REPORT | eval Date=substr(DATES,1,10) | stats sum(TOTAL_RECORDS) as "Total Records" by Date | sort - Date

i would like to insert one column that should be DIFF and calculation should be subtraction ( Row 1 - row 2) row 1 value us 797,775 and row 2 value is 797,774 so 3rd new column value should be 1. and also we need % in 3rd column 1/797,775 (diff/1st row count)

Tags (1)
Preview file
18 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-18-2016 04:26 AM

I thought this for sure was going to be a streamstats answer, but instead it's far easier to use delta.

You should be able to just add | delta "Total Records" to the end of your search, like

source=DAM_DB_SUMMARY_REPORT | eval Date=substr(DATES,1,10) | stats sum(TOTAL_RECORDS) as "Total Records" by Date | sort - Date | delta "Total Records"

Can you give that a go and report back?

Happy Splunking!
Rich

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-18-2016 04:26 AM

I thought this for sure was going to be a streamstats answer, but instead it's far easier to use delta.

You should be able to just add | delta "Total Records" to the end of your search, like

source=DAM_DB_SUMMARY_REPORT | eval Date=substr(DATES,1,10) | stats sum(TOTAL_RECORDS) as "Total Records" by Date | sort - Date | delta "Total Records"

Can you give that a go and report back?

Happy Splunking!
Rich

Reply
Solved! Jump to solution

puneethgowda
Communicator
‎11-18-2016 04:28 AM

thanks a lot

0 Karma
Reply
Solved! Jump to solution

puneethgowda
Communicator
‎11-18-2016 04:27 AM

sorry it was very simple i have got this after posting here forgot to upfdate

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...