Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I find the difference between table rows?

sohaibomar
Explorer
‎09-17-2017 12:17 PM

I have results in following table format:

half    app_name    dataconsumed
-----------------------------------
first_half    skype    50
first_half    facebook    90
first_half    yahoo    10
first_half    bing    30
second_half    skype    150
second_half    facebook    100
second_half    yahoo    5
second_half    bing    50

How should I find the difference in dataconsumed for ex (difference = secondhalf - firsthalf) and exclude app if difference is negative.

for above table result should be:

app    difference
------------------------
skype    100
facebook    10
bing    20

Note: In above result table yahoo is excluded since it's difference is negative.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-17-2017 03:27 PM

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-17-2017 09:27 PM

Give this as well
Updated

your current search giving fields half, app_name, dataconsumed
| chart values(dataconsumed) over app_name by half
| eval difference=second_half-first_half
| where difference>0
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-18-2017 06:11 AM

@somesoni2 nice. but difference>0

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-18-2017 07:29 AM

Gosh... I can swear it was > in my mind while typing. Thanks @Daljeanis for correcting it..

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-17-2017 03:27 PM

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...