Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to Subtract column values in a table and creat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-21-2020
04:02 PM
Hi Team,
I have a splunk search which results in the below table...
| Col1 | Col2 | Col3 | Col4 | |
| Row1 | X | X | X | X |
| Row2 | X | X | X | X |
| Row3 | X | X | X | X |
The Col* is dynamic based the time value here its set to 4 month. Each column represent a column with the values from 0-99.
| Jan20 | Feb20 | Mar20 | Apr20 | |
| Row1 | 0 | 8 | 3 | 4 |
| Row2 | 9 | 9 | 7 | 5 |
| Row3 | 8 | 1 | 7 | 1 |
I want check Col2 - Col1 and if the Col2 value is less than Col1 value it should create a new colum and with values like Increasing ,Decreasing, Nothing.
Expecting the result
| Jan20 | Feb20 | Comp_of_Feb_Minus_Jan | Mar20 | Apr20 | Comp_of_Apr_Minus_Mar | |
| Row1 | 0 | 8 | Increased | 3 | 4 | Increased |
| Row2 | 9 | 9 | Nothing changed | 7 | 5 | Decrease |
| Row3 | 8 | 1 | Decrease | 7 | 1 | Decrease |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-26-2020
08:20 AM
Thanks Renjith_Nair,
But i am getting the results like below,
| Rows | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Rows | Feb20-col1 |
| Row1 | 0 | 8 | 3 | decreased | Increased |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vignesh-107
Path Finder
12-22-2020
03:35 PM
Thank you so much renjith_nair. But i am looking result like below
I am looking the results like
| Feb20 | Mar20 | Apr20 | Apr20-Mar20 | Mar20-Feb20 | Feb20-Jan20 | |
| Row1 | 0 | 8 | 3 | decreased | Increased | Nothing Changed |
| Row2 | 9 | 9 | 7 | decreased | Nothing Changed | Nothing Changed |
| Row3 | 8 | 1 | 7 | Increased | decreased | decreased |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-22-2020
07:17 PM
Ok, in your first example , you had difference between alternative months and hence the search was formed.
Try this and let me know what changes you need
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_temp=1
| eval prev_temp=0
| foreach *
[| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_temp}=case('<<FIELD>>' - prev_temp > 0,"Increased",'<<FIELD>>' - prev_temp < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_temp='<<FIELD>>'
| eval count_temp=count_temp+1
| eval PREV_COL_temp="<<FIELD>>"]
| rename *_0 as *
|fields - *temp*,*Minus_
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-21-2020
06:04 PM
Try adding this to your existing search
"your search"
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
Here is a run anywhere example implementing the same logic
| makeresults
| eval "1Jan20"=1
| eval "2Feb20"=2
| eval "3Mar20"=5
| eval "4Apr20"=4
| append
[| makeresults
| eval "1Jan20"=4
| eval "2Feb20"=5
| eval "3Mar20"=7
| eval "4Apr20"=3
]
| append
[| makeresults
| eval "1Jan20"=5
| eval "2Feb20"=2
| eval "3Mar20"=7
| eval "4Apr20"=9
]
| fields - _time
| eval count_1=1
| eval prev_1=0
| foreach *
[ eval mod_1=count_1%2
| eval Comp_of_<<FIELD>>_Minus_{PREV_COL_1}_{mod_1}=case('<<FIELD>>' - prev_1 > 0,"Increased",'<<FIELD>>' - prev_1 < 0,"Decreased",1=1,"Nothing Changed")
| eval prev_1='<<FIELD>>'
| eval count_1=count_1+1
| eval PREV_COL_1="<<FIELD>>"]
| rename *_0 as *
| fields - *_1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
