How to calculate difference between field values i...

vikas_sood · ‎03-22-2022

Hi,

i have 2 events with 3 fields: timestamp , servername, cpu_usage:

22-Mar-2022 00:00:00, server1 ,18

23-Mar-2022, 00:01:00 server1 , 82

22-Mar-2022 00:00:00, server2 ,78

23-Mar-2022, 00:01:00 server2 , 14

I want to calculate difference between 2nd and 1st event for each server. Can you please suggest, how this can be done?

ITWhisperer · ‎03-22-2022

| stats range(cpu_usage) as difference by servername

vikas_sood · ‎03-22-2022

That works, is it possible to add + and - in difference?

ITWhisperer · ‎03-22-2022

| stats first(cpu_usage) as first_value last(cpu_usage) as last_value by servername
| eval difference=last_value-first_value
| eval difference=if(difference>0,"+".difference,difference)

How to calculate difference between field values in two events?

field extraction

fields

stats

table

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!