How to calculate difference between field values i...

vikas_sood · ‎03-22-2022

Hi,

i have 2 events with 3 fields: timestamp , servername, cpu_usage:

22-Mar-2022 00:00:00, server1 ,18

23-Mar-2022, 00:01:00 server1 , 82

22-Mar-2022 00:00:00, server2 ,78

23-Mar-2022, 00:01:00 server2 , 14

I want to calculate difference between 2nd and 1st event for each server. Can you please suggest, how this can be done?

ITWhisperer · ‎03-22-2022

| stats range(cpu_usage) as difference by servername

vikas_sood · ‎03-22-2022

That works, is it possible to add + and - in difference?

ITWhisperer · ‎03-22-2022

| stats first(cpu_usage) as first_value last(cpu_usage) as last_value by servername
| eval difference=last_value-first_value
| eval difference=if(difference>0,"+".difference,difference)

How to calculate difference between field values in two events?

field extraction

fields

stats

table

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?