Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I subtract two results from stats?

guimilare
Communicator
‎09-04-2015 07:01 AM

Hi all.

I'm having a hard time trying to make a subtraction..

This is my entry csv:

Date,category,amount,person
01/08/2015,debit,150.00,jose
01/08/2015,debit,130.00,mary
07/08/2015,credit,300.00,jose

What I have so far is:

index=<my_index> | stats sum(amount) as Result by category | addcoltotals labelfield=category label=Total

category                                              Result
debit                                                 280.00
credit                                                300.00
Total                                                 580.00

However, what I want is the difference between Credit and Debit, something like this:

category                                              Result
debit                                                 280.00
credit                                                300.00
Total                                                 20.00

Any ideas how I should write my search?

Thank in advance.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kdoonan
Explorer
‎09-04-2015 08:07 AM

Hi Guimilare,

You could try multiplying one part by -1

index=someindex | eval amount=IF(category=="debit", -1 * amount, amount) | stats sum(amount) as Result by category | addcoltotals labelfield=category label=Total

View solution in original post

Reply
Solved! Jump to solution
Solution

kdoonan
Explorer
‎09-04-2015 08:07 AM

Hi Guimilare,

You could try multiplying one part by -1

index=someindex | eval amount=IF(category=="debit", -1 * amount, amount) | stats sum(amount) as Result by category | addcoltotals labelfield=category label=Total

Reply
Solved! Jump to solution

guimilare
Communicator
‎09-04-2015 08:38 AM

I don't get any errors.. But I get the same result as before...

0 Karma
Reply
Solved! Jump to solution

guimilare
Communicator
‎09-04-2015 09:14 AM

Hi kdoonan, it worked now!
The thing was that -1 shold come after the field amount:

index=someindex | eval amount=IF(category=="debit", amount*-1, amount) | stats sum(amount) as Result by category | addcoltotals labelfield=category label=Total

Thank you!!

0 Karma
Reply
Solved! Jump to solution

guimilare
Communicator
‎09-04-2015 08:16 AM

Hi kdoonan,

It didn't work.
The IF statment is not working... I've tried to change to a positive number (e.g., 10), and no luck either..

Thank you

0 Karma
Reply
Solved! Jump to solution

kdoonan
Explorer
‎09-04-2015 08:27 AM

What error do you get when you try to run it and do you have it in the same part of the search?

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...