Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you subtract two column values in Splunk?

Mohsin123
Path Finder
‎09-26-2018 02:43 AM

Hi team,

say i have a column like this :

_time    A
11pm  30
10pm  40

I have to subtract 40-30 and store in a new field

How do I achieve this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-26-2018 02:50 AM

hi @Mohsin123

try this 

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Thanks
Harish

View solution in original post

Reply
Solved! Jump to solution

ritchierich
New Member
‎02-04-2020 09:34 PM

Splunk active/inactive users

<input type="radio" token="active_account">
  <label>Active accounts</label>
  <choice value="*">all</choice>
  <choice value="1">active</choice>
  <choice value="0">inactive</choice>
  <default>1</default>
</input>
<input type="text" token="user_field" searchWhenChanged="true">
  <label>User:</label>
  <default>*</default>
</input>
<input type="text" token="role_field" searchWhenChanged="true">
  <label>Role:</label>
  <default>*</default>
</input>


<panel>
  <table>
    <search>
      <query>| rest /services/authentication/users   | dedup title   | rename title as user | eval firstHit=0  | eval lastHit=0 | eval active=1 | table user, firstHit, lastHit, roles, active  | inputlookup append=true splunk_users | eval user=if(isnull(_key), user, _key)  | stats max(firstHit) as firstHit, max(lastHit) as lastHit, values(roles) as roles, max(active) as active by user | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(firstHit) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(lastHit)  | eval active=if(active==1, active, 0) | search user="$user_field$" | search active=$active_account$ | search roles="$role_field$"</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">100</option>
  </table>
</panel>

User/Role/Index Management

<panel>
  <title>Splunk indexes with corresponding roles</title>
  <input type="radio" token="view_field1" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index</default>
  </input>
  <input type="text" token="role_field1" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field1">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup  admin_role_indexes

| eval index = mvappend(srchIndexesAllowed, imported_srchIndexesAllowed) | fields role, index $view_field1$ | search role=$role_field1$ | search index=$index_field1$
| dedup role
| rex field=index max_match=200 "(?<idx>\w+)"
| lookup admin_indexes_data_owners index as idx
| stats values(index) as index, values(data_owner) as data_owner by role
-15m@m
now

20
none
none
false
true

<panel>
  <title>Splunk users details</title>
  <input type="radio" token="view_field2" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index | nomv role">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index | nomv role</default>
  </input>
  <input type="text" token="user_field2" searchWhenChanged="true">
    <label>User:</label>
    <default>*</default>
  </input>
  <input type="text" token="role_field2" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field2">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup admin_user_index_role | rename roles as role  $view_field2$ | search user=$user_field2$ | search role=$role_field2$ | search index=$index_field2$ | lookup splunk_users _key as user OUTPUT lastHit as last_seen| eval user=if(isnull(_key), user, _key) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(last_seen) | table user, last_seen, index, role | eval last_seen=if(isnull(last_seen), "never", last_seen)</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">20</option>
  </table>
</panel>
0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-26-2018 02:50 AM

hi @Mohsin123

try this 

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Thanks
Harish
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-26-2018 02:55 AM

thanks but what if i have to do this with n coloumns , its row 2 value - the row 1 value

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...