Splunk Search

How to calculate the difference between the first and the last row for each page in search results?

Contributor

My search produced the following CSV:

``````Date Page_1      Page_2       Page_3       Page_4        Page_5        Page_6....
1-Jan      1       2           3            4            5            6
2-Jan      10       20           3            4            5            6
..
..
..
22-Apr      100       200           3000           7654            86895           76476
``````

How can I calculate the difference between the first and the last row for every page? Please help.

Tags (3)
1 Solution
SplunkTrust

Hi @reverse,

Try this:

``````| eventstats first(Page*) as first_Page*, last(Page*) as last_Page*
| foreach Page*
[ eval diff_<<FIELD>> = last_<<FIELD>> - first_<<FIELD>>]
| table Date, Page*, diff_Page*
``````

Sample query:

``````| makeresults
| eval _raw="Date,Page_1,Page_2,Page_3,Page_4,Page_5,Page_6
1-Jan,1,2,3,4,5,6
2-Jan,10,20,3,4,5,6
22-Apr,100,200,3000,7654,86895,76476"
| eventstats first(Page*) as first_Page*, last(Page*) as last_Page*
| foreach Page*
[ eval diff_<<FIELD>> = last_<<FIELD>> - first_<<FIELD>>]
| table Date, Page*, diff_Page*
``````
SplunkTrust

Hi @reverse,

Try this:

``````| eventstats first(Page*) as first_Page*, last(Page*) as last_Page*
| foreach Page*
[ eval diff_<<FIELD>> = last_<<FIELD>> - first_<<FIELD>>]
| table Date, Page*, diff_Page*
``````

Sample query:

``````| makeresults
| eval _raw="Date,Page_1,Page_2,Page_3,Page_4,Page_5,Page_6
1-Jan,1,2,3,4,5,6
2-Jan,10,20,3,4,5,6
22-Apr,100,200,3000,7654,86895,76476"
| eventstats first(Page*) as first_Page*, last(Page*) as last_Page*
| foreach Page*
[ eval diff_<<FIELD>> = last_<<FIELD>> - first_<<FIELD>>]
| table Date, Page*, diff_Page*
``````
Contributor

thank you 🙂

Contributor

@manjunathmeti .. what if there is no pattern in the first row ...

rather than Page_1 Page_2 Page_3 Page_4 Page_5 Page_6....

it is ANJ, JFJ,YFYU,FFJH,FYFUY

SplunkTrust

Then you should use exact field names:

``````| eventstats first(ANJ) as first_ ANJ, last(ANJ) as last_ ANJ,  first(JFJ) as first_ JFJ, last(JFJ) as last_ JFJ, .....
| foreach ANJ, JFJ, YFYU,......
[ eval diff_<<FIELD>> = last_<<FIELD>> - first_<<FIELD>>]
| table Date, ANJ, JFJ,YFYU,FFJH,FYFUY, diff_*
``````
Contributor

thank you 🙂

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...