I have two different files abc and abc1. Both have two fields TS1 and TS2. I just want to calculate difference between TS2 of abc1 with TS1 of ABC. I'm new here so please help me guys. Thanx in Advance..
You may try this:
index=sth source="abc" | table TS1 | appendcols [search index=sth source="abc1" | table TS2 | rename TS2 as abc1_TS2] | eval Diff = abc1_TS2 - TS1
If these two files are unrelated, you can just use appendcols. Otherwise you should use join [common field]
It's possible that the above version works for you in this case but here's how I'd solve it(assuming in this case that it's the same sourcetype as both sources had the same specific fields):
index="A" sourcetype="B" source="ABC" | eval R1 = TS1| join sourcetype [search index="X" sourcetype="B" source="ABC1" | eval R2 = TS2 | fields - R2] | eval diff(R2-R1) = R2-R1 | table diff(R2-R1), R1, R2
If you want just the latest event from each source you could add a dedup command like this:
index="A" sourcetype="B" source="ABC" | dedup source | eval R1 = TS1| join sourcetype [search index="X" sourcetype="B" source="ABC1" | eval R2 = TS2 | fields - R2] | eval diff(R2-R1) = R2-R1 | table diff(R2-R1), R1, R2
Perhaps not the most beautiful way to do it but I find it clear. Will not work well in real time.
Hope this helps,
Victor
You may try this:
index=sth source="abc" | table TS1 | appendcols [search index=sth source="abc1" | table TS2 | rename TS2 as abc1_TS2] | eval Diff = abc1_TS2 - TS1
If these two files are unrelated, you can just use appendcols. Otherwise you should use join [common field]
Will need more information than this. How is your data stored in Splunk for these two files, What type of difference you want to check, any sample values?
Are they both going to the same index? If so then it would be easy, you need to use the eval command which will create a new field (Diff) which will then have the difference between TS2 and TS1
index=blah TS1 TS2 | eval Diff=TS2-TS1 | table Diff
index=blah is where you define what index you want to search in
TS1 TS2 is calling those fields within index=blah for faster search performance
|eval is a command in splunk which will make a new field called Diff which will store the difference between TS2 and TS1
|table Diff will create a table with a column called Diff which will display the difference between TS2 and TS1
Thanks..this query was helpfull
Feel free to upvote if this helped!