Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generic Solution to Same Column Value Difference

reverse
Contributor
‎07-25-2019 09:23 AM

What would be the best generic solution to 

https://answers.splunk.com/answers/760677/same-column-value-difference.html?minQuestionBodyLength=80

what if there are multiple As Bs Cs and Ds. As of now mentioned solution is perfect for just 2 same corresponding values.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-01-2019 08:37 AM

Like this:

| makeresults 
| eval mvfield="10 30 100 234 64 432 3 632 87"
| makemv mvfield
| eval mvdiff = tonumber(mvindex(mvfield, 0)) - tonumber(mvindex(mvfield, 1))
| foreach 1 2 3 4 5 6 7 8 9 10 11 12 
    [eval _t3Mp = tonumber(mvindex(mvfield, <<FIELD>>)) - tonumber(mvindex(mvfield, <<FIELD>> + 1))
  | eval mvdiff = mvappend(mvdiff, _t3Mp) ]
| fields - _t3Mp
| eval mvdiff = mvappend(mvdiff, "N/A")

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-01-2019 08:37 AM

Like this:

| makeresults 
| eval mvfield="10 30 100 234 64 432 3 632 87"
| makemv mvfield
| eval mvdiff = tonumber(mvindex(mvfield, 0)) - tonumber(mvindex(mvfield, 1))
| foreach 1 2 3 4 5 6 7 8 9 10 11 12 
    [eval _t3Mp = tonumber(mvindex(mvfield, <<FIELD>>)) - tonumber(mvindex(mvfield, <<FIELD>> + 1))
  | eval mvdiff = mvappend(mvdiff, _t3Mp) ]
| fields - _t3Mp
| eval mvdiff = mvappend(mvdiff, "N/A")
Reply
Solved! Jump to solution

reverse
Contributor
‎08-01-2019 08:46 AM

THANK YOU !!!!!

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎07-31-2019 01:05 PM

Be a little bit more specific. If you have three values for C1=A of 10, 4, 5. What would you consider the difference? Difference only works for two values. Unless you mean the difference of the most recent value, minus all previous values (Ie; 10 - 4 - 5 = 1).

C1  C2
---------- 
A   10
A   4
A   5

What would you consider the "difference" for the above?

Reply
Solved! Jump to solution

reverse
Contributor
‎07-31-2019 04:14 PM

2nd index value - 1st index value
3rd index value - 2nd index value

basically 0->n
n- (n+1)
where n is the mv index

 C1  C2
 ---------- 
 A   10
 A   4
 A   5

in this example

diff will be -6 and 1

0 Karma
Reply
Solved! Jump to solution

reverse
Contributor
‎07-25-2019 09:24 AM

@Vijeta Please visit here.

0 Karma
Reply
Solved! Jump to solution

reverse
Contributor
‎07-31-2019 11:36 AM

@Vijeta @jnudell_2 Please guide.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...