Solved: Re: How can I add a column at the end that shows t...

JoeHubner · ‎05-20-2022

I would like to add a column to a chart that is the difference of the two columns before it in an application where I am showing the Cost for each employee for the last 2 weeks. Using the search:

index=SampleData

| where _time>relative_time(now(),"-2w@w")

| convert timeformat="%m-%d-%Y" ctime(_time)

| chart sum(Cost) over Employee by _time

The above produces a chart that looks like the following

Employee 05-08-2022 05-15-2022

Employee1 100.00 150.00
Employee2 200.00 175.00

How can I add a column at the end that shows the difference between the two weeks?

somesoni2 · ‎05-20-2022

Give this a try

index=SampleData 
| where _time>relative_time(now(),"-2w@w")
| convert timeformat="%m-%d-%Y" ctime(_time)
| chart sum(Cost) over Employee by _time
| eval diff=-1
| foreach 0* 1* [| eval diff=if(diff=-1,'<<FIELD>>','<<FIELD>>'-diff)]

View solution in original post

somesoni2 · ‎05-20-2022

Give this a try

index=SampleData 
| where _time>relative_time(now(),"-2w@w")
| convert timeformat="%m-%d-%Y" ctime(_time)
| chart sum(Cost) over Employee by _time
| eval diff=-1
| foreach 0* 1* [| eval diff=if(diff=-1,'<<FIELD>>','<<FIELD>>'-diff)]

JoeHubner · ‎05-20-2022

Worked perfect, thanks.

How can I add a column at the end that shows the difference between the two weeks?

chart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!