Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you subtract two column values in Splunk?

Mohsin123
Path Finder
‎09-26-2018 02:43 AM

Hi team,

say i have a column like this :

_time    A
11pm  30
10pm  40

I have to subtract 40-30 and store in a new field

How do I achieve this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-26-2018 02:50 AM

hi @Mohsin123

try this 

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Thanks
Harish

View solution in original post

Reply
Solved! Jump to solution

ritchierich
New Member
‎02-04-2020 09:34 PM

Splunk active/inactive users

<input type="radio" token="active_account">
  <label>Active accounts</label>
  <choice value="*">all</choice>
  <choice value="1">active</choice>
  <choice value="0">inactive</choice>
  <default>1</default>
</input>
<input type="text" token="user_field" searchWhenChanged="true">
  <label>User:</label>
  <default>*</default>
</input>
<input type="text" token="role_field" searchWhenChanged="true">
  <label>Role:</label>
  <default>*</default>
</input>


<panel>
  <table>
    <search>
      <query>| rest /services/authentication/users   | dedup title   | rename title as user | eval firstHit=0  | eval lastHit=0 | eval active=1 | table user, firstHit, lastHit, roles, active  | inputlookup append=true splunk_users | eval user=if(isnull(_key), user, _key)  | stats max(firstHit) as firstHit, max(lastHit) as lastHit, values(roles) as roles, max(active) as active by user | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(firstHit) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(lastHit)  | eval active=if(active==1, active, 0) | search user="$user_field$" | search active=$active_account$ | search roles="$role_field$"</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">100</option>
  </table>
</panel>

User/Role/Index Management

<panel>
  <title>Splunk indexes with corresponding roles</title>
  <input type="radio" token="view_field1" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index</default>
  </input>
  <input type="text" token="role_field1" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field1">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup  admin_role_indexes

| eval index = mvappend(srchIndexesAllowed, imported_srchIndexesAllowed) | fields role, index $view_field1$ | search role=$role_field1$ | search index=$index_field1$
| dedup role
| rex field=index max_match=200 "(?<idx>\w+)"
| lookup admin_indexes_data_owners index as idx
| stats values(index) as index, values(data_owner) as data_owner by role
-15m@m
now

20
none
none
false
true

<panel>
  <title>Splunk users details</title>
  <input type="radio" token="view_field2" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index | nomv role">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index | nomv role</default>
  </input>
  <input type="text" token="user_field2" searchWhenChanged="true">
    <label>User:</label>
    <default>*</default>
  </input>
  <input type="text" token="role_field2" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field2">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup admin_user_index_role | rename roles as role  $view_field2$ | search user=$user_field2$ | search role=$role_field2$ | search index=$index_field2$ | lookup splunk_users _key as user OUTPUT lastHit as last_seen| eval user=if(isnull(_key), user, _key) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(last_seen) | table user, last_seen, index, role | eval last_seen=if(isnull(last_seen), "never", last_seen)</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">20</option>
  </table>
</panel>
0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-26-2018 02:50 AM

hi @Mohsin123

try this 

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Thanks
Harish
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-26-2018 02:55 AM

thanks but what if i have to do this with n coloumns , its row 2 value - the row 1 value

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...