- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-21-2020
04:02 PM
Hi Team,
I have a splunk search which results in the below table...
| Col1 | Col2 | Col3 | Col4 | |
| Row1 | X | X | X | X |
| Row2 | X | X | X | X |
| Row3 | X | X | X | X |
The Col* is dynamic based the time value here its set to 4 month. Each column represent a column with the values from 0-99.
| Jan20 | Feb20 | Mar20 | Apr20 | |
| Row1 | 0 | 8 | 3 | 4 |
| Row2 | 9 | 9 | 7 | 5 |
| Row3 | 8 | 1 | 7 | 1 |
I want check Col2 - Col1 and if the Col2 value is less than Col1 value it should create a new colum and with values like Increasing ,Decreasing, Nothing.
Expecting the result
| Jan20 | Feb20 | Comp_of_Feb_Minus_Jan | Mar20 | Apr20 | Comp_of_Apr_Minus_Mar | |
| Row1 | 0 | 8 | Increased | 3 | 4 | Increased |
| Row2 | 9 | 9 | Nothing changed | 7 | 5 | Decrease |
| Row3 | 8 | 1 | Decrease | 7 | 1 | Decrease |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-26-2020
08:20 AM
Thanks Renjith_Nair,
But i am getting the results like below,
| Rows | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Rows | Feb20-col1 |
| Row1 | 0 | 8 | 3 | decreased | Increased |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-22-2020
03:35 PM
Thank you so much renjith_nair. But i am looking result like below
I am looking the results like
| Feb20 | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Feb20 | Feb20-Jan20 | |
| Row1 | 0 | 8 | 3 | decreased | Increased | Nothing Changed |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-22-2020
07:17 PM
Ok, in your first example , you had difference between alternative months and hence the search was formed.
Try this and let me know what changes you need
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_temp=1
| eval prev_temp=0
| foreach *
[| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_temp}=case('<<FIELD>>' - prev_temp > 0,"Increased",'<<FIELD>>' - prev_temp < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_temp='<<FIELD>>'
| eval count_temp=count_temp+1
| eval PREV_COL_temp="<<FIELD>>"]
| rename *_0 as *
|fields - *temp*,*Minus_
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
