Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to Subtract column values in a table and c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-21-2020
04:02 PM
Hi Team,
I have a splunk search which results in the below table...
| Col1 | Col2 | Col3 | Col4 | |
| Row1 | X | X | X | X |
| Row2 | X | X | X | X |
| Row3 | X | X | X | X |
The Col* is dynamic based the time value here its set to 4 month. Each column represent a column with the values from 0-99.
| Jan20 | Feb20 | Mar20 | Apr20 | |
| Row1 | 0 | 8 | 3 | 4 |
| Row2 | 9 | 9 | 7 | 5 |
| Row3 | 8 | 1 | 7 | 1 |
I want check Col2 - Col1 and if the Col2 value is less than Col1 value it should create a new colum and with values like Increasing ,Decreasing, Nothing.
Expecting the result
| Jan20 | Feb20 | Comp_of_Feb_Minus_Jan | Mar20 | Apr20 | Comp_of_Apr_Minus_Mar | |
| Row1 | 0 | 8 | Increased | 3 | 4 | Increased |
| Row2 | 9 | 9 | Nothing changed | 7 | 5 | Decrease |
| Row3 | 8 | 1 | Decrease | 7 | 1 | Decrease |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-26-2020
08:20 AM
Thanks Renjith_Nair,
But i am getting the results like below,
| Rows | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Rows | Feb20-col1 |
| Row1 | 0 | 8 | 3 | decreased | Increased |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-22-2020
03:35 PM
Thank you so much renjith_nair. But i am looking result like below
I am looking the results like
| Feb20 | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Feb20 | Feb20-Jan20 | |
| Row1 | 0 | 8 | 3 | decreased | Increased | Nothing Changed |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-22-2020
07:17 PM
Ok, in your first example , you had difference between alternative months and hence the search was formed.
Try this and let me know what changes you need
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_temp=1
| eval prev_temp=0
| foreach *
[| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_temp}=case('<<FIELD>>' - prev_temp > 0,"Increased",'<<FIELD>>' - prev_temp < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_temp='<<FIELD>>'
| eval count_temp=count_temp+1
| eval PREV_COL_temp="<<FIELD>>"]
| rename *_0 as *
|fields - *temp*,*Minus_
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
