Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difference between rows of query result

reverse
Contributor
‎05-17-2019 05:35 PM 
Jan-1 100 60 87 78 86 545 53 509 56 545 656
Jan2  110 60 87 78 86 545 53 509 56 545 656
Jan-3 111 60 87 78 86 545 53 509 56 545 655
Jan-4 112 60 89 78 86 545 53 509 56 545 656

diff 2 0 2 0 ....
I have to compute "always" the difference between last row and first row ( diff)
How can I achieve this ?
Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-18-2019 09:57 AM

@reverse try the following run anywhere example which prepares data similar to your question. from |makeresults till | fields - data count

| makeresults
| eval data="Jan-1 100 60 87 78 86 545 53 509 56 545 656;Jan-2 110 60 87 78 86 545 53 509 56 545 656;Jan-3 111 60 87 78 86 545 53 509 56 545 655;Jan-4 112 60 89 78 86 545 53 509 56 545 656"
| makemv data delim=";"
| stats count by data
| makemv data delim=" "
| eval date=mvindex(data,0),
       field1=mvindex(data,1),
       field2=mvindex(data,2),
       field3=mvindex(data,3),
       field4=mvindex(data,4),
       field5=mvindex(data,5),
       field6=mvindex(data,6),
       field7=mvindex(data,7),
       field8=mvindex(data,8),
       field9=mvindex(data,9),
       field10=mvindex(data,10)
| fields - data count

| fields - date
| stats first(*) as first* last(*) as last*
| foreach first* [| eval diff_<<MATCHSTR>>=first<<MATCHSTR>>-last<<MATCHSTR>>]
| fields diff_*

Then the remaining command calculate difference as per your requirement. Since you have not provided field names I have cooked up all of it as field1, field2 etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-18-2019 09:57 AM

@reverse try the following run anywhere example which prepares data similar to your question. from |makeresults till | fields - data count

| makeresults
| eval data="Jan-1 100 60 87 78 86 545 53 509 56 545 656;Jan-2 110 60 87 78 86 545 53 509 56 545 656;Jan-3 111 60 87 78 86 545 53 509 56 545 655;Jan-4 112 60 89 78 86 545 53 509 56 545 656"
| makemv data delim=";"
| stats count by data
| makemv data delim=" "
| eval date=mvindex(data,0),
       field1=mvindex(data,1),
       field2=mvindex(data,2),
       field3=mvindex(data,3),
       field4=mvindex(data,4),
       field5=mvindex(data,5),
       field6=mvindex(data,6),
       field7=mvindex(data,7),
       field8=mvindex(data,8),
       field9=mvindex(data,9),
       field10=mvindex(data,10)
| fields - data count

| fields - date
| stats first(*) as first* last(*) as last*
| foreach first* [| eval diff_<<MATCHSTR>>=first<<MATCHSTR>>-last<<MATCHSTR>>]
| fields diff_*

Then the remaining command calculate difference as per your requirement. Since you have not provided field names I have cooked up all of it as field1, field2 etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

reverse
Contributor
‎05-18-2019 10:06 AM

it worked.. thanks! how can i show only that data where diff was maximum... like top 2.. I know it is complex

0 Karma
Reply
Solved! Jump to solution

reverse
Contributor
‎05-18-2019 08:15 PM

how can i show only that data where diff was maximum... like top 2..

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-19-2019 10:25 AM

@reverse try appending the following to your existing search.

| transpose 0 column_name=difference
| sort 0 - "row 1"
| head 2
| transpose header_field=difference
| fields diff_*
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

reverse
Contributor
‎05-17-2019 07:08 PM

results would be dynamic.. first column

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-18-2019 07:07 AM

@reverse please add more details to your problem. For the data provided what is the output you need?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

reverse
Contributor
‎05-18-2019 07:28 AM

diff is the output

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-18-2019 09:46 AM

@reverse the number of rows is it fixed or can it vary? Also once you have the difference do you want to output only the difference?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

reverse
Contributor
‎05-18-2019 09:48 AM

Rows will vary as per timepicker range .. last 7 days 30 days .. so on .. columns are fixed though

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...