Splunk Search

How can I find the difference between table rows?

sohaibomar
Explorer

I have results in following table format:

half    app_name    dataconsumed
-----------------------------------
first_half    skype    50
first_half    facebook    90
first_half    yahoo    10
first_half    bing    30
second_half    skype    150
second_half    facebook    100
second_half    yahoo    5
second_half    bing    50

How should I find the difference in dataconsumed for ex (difference = secondhalf - firsthalf) and exclude app if difference is negative.

for above table result should be:

app    difference
------------------------
skype    100
facebook    10
bing    20

Note: In above result table yahoo is excluded since it's difference is negative.

0 Karma
1 Solution

DalJeanis
Legend

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0 

View solution in original post

somesoni2
Revered Legend

Give this as well
Updated

your current search giving fields half, app_name, dataconsumed
| chart values(dataconsumed) over app_name by half
| eval difference=second_half-first_half
| where difference>0

DalJeanis
Legend

@somesoni2 nice. but difference>0

0 Karma

somesoni2
Revered Legend

Gosh... I can swear it was > in my mind while typing. Thanks @Daljeanis for correcting it..

0 Karma

DalJeanis
Legend

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0 
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...