Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to Subtract column values in a table and c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-21-2020
04:02 PM
Hi Team,
I have a splunk search which results in the below table...
| Col1 | Col2 | Col3 | Col4 | |
| Row1 | X | X | X | X |
| Row2 | X | X | X | X |
| Row3 | X | X | X | X |
The Col* is dynamic based the time value here its set to 4 month. Each column represent a column with the values from 0-99.
| Jan20 | Feb20 | Mar20 | Apr20 | |
| Row1 | 0 | 8 | 3 | 4 |
| Row2 | 9 | 9 | 7 | 5 |
| Row3 | 8 | 1 | 7 | 1 |
I want check Col2 - Col1 and if the Col2 value is less than Col1 value it should create a new colum and with values like Increasing ,Decreasing, Nothing.
Expecting the result
| Jan20 | Feb20 | Comp_of_Feb_Minus_Jan | Mar20 | Apr20 | Comp_of_Apr_Minus_Mar | |
| Row1 | 0 | 8 | Increased | 3 | 4 | Increased |
| Row2 | 9 | 9 | Nothing changed | 7 | 5 | Decrease |
| Row3 | 8 | 1 | Decrease | 7 | 1 | Decrease |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-26-2020
08:20 AM
Thanks Renjith_Nair,
But i am getting the results like below,
| Rows | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Rows | Feb20-col1 |
| Row1 | 0 | 8 | 3 | decreased | Increased |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-22-2020
03:35 PM
Thank you so much renjith_nair. But i am looking result like below
I am looking the results like
| Feb20 | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Feb20 | Feb20-Jan20 | |
| Row1 | 0 | 8 | 3 | decreased | Increased | Nothing Changed |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-22-2020
07:17 PM
Ok, in your first example , you had difference between alternative months and hence the search was formed.
Try this and let me know what changes you need
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_temp=1
| eval prev_temp=0
| foreach *
[| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_temp}=case('<<FIELD>>' - prev_temp > 0,"Increased",'<<FIELD>>' - prev_temp < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_temp='<<FIELD>>'
| eval count_temp=count_temp+1
| eval PREV_COL_temp="<<FIELD>>"]
| rename *_0 as *
|fields - *temp*,*Minus_
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
