Splunk Search

Generic Solution to Same Column Value Difference

reverse
Contributor

What would be the best generic solution to

https://answers.splunk.com/answers/760677/same-column-value-difference.html?minQuestionBodyLength=80

what if there are multiple As Bs Cs and Ds. As of now mentioned solution is perfect for just 2 same corresponding values.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval mvfield="10 30 100 234 64 432 3 632 87"
| makemv mvfield
| eval mvdiff = tonumber(mvindex(mvfield, 0)) - tonumber(mvindex(mvfield, 1))
| foreach 1 2 3 4 5 6 7 8 9 10 11 12 
    [eval _t3Mp = tonumber(mvindex(mvfield, <<FIELD>>)) - tonumber(mvindex(mvfield, <<FIELD>> + 1))
  | eval mvdiff = mvappend(mvdiff, _t3Mp) ]
| fields - _t3Mp
| eval mvdiff = mvappend(mvdiff, "N/A")

View solution in original post

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval mvfield="10 30 100 234 64 432 3 632 87"
| makemv mvfield
| eval mvdiff = tonumber(mvindex(mvfield, 0)) - tonumber(mvindex(mvfield, 1))
| foreach 1 2 3 4 5 6 7 8 9 10 11 12 
    [eval _t3Mp = tonumber(mvindex(mvfield, <<FIELD>>)) - tonumber(mvindex(mvfield, <<FIELD>> + 1))
  | eval mvdiff = mvappend(mvdiff, _t3Mp) ]
| fields - _t3Mp
| eval mvdiff = mvappend(mvdiff, "N/A")

reverse
Contributor

THANK YOU !!!!!

0 Karma

jnudell_2
Builder

Be a little bit more specific. If you have three values for C1=A of 10, 4, 5. What would you consider the difference? Difference only works for two values. Unless you mean the difference of the most recent value, minus all previous values (Ie; 10 - 4 - 5 = 1).

C1  C2
---------- 
A   10
A   4
A   5

What would you consider the "difference" for the above?

reverse
Contributor

2nd index value - 1st index value
3rd index value - 2nd index value

basically 0->n
n- (n+1)
where n is the mv index

 C1  C2
 ---------- 
 A   10
 A   4
 A   5

in this example

diff will be -6 and 1

0 Karma

reverse
Contributor

@Vijeta Please visit here.

0 Karma

reverse
Contributor

@Vijeta @jnudell_2 Please guide.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...