How to calculate the difference between two rows w...

splunkrocks2014 · ‎07-18-2018

I have a search returns two rows of records (check the result from the following query):

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| fields - _time
| table date col1 col2 col3 col4

Is there a way to get the difference between the date from all the columns? Here is the expected result:

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| append [| makeresults 
| eval date="diff", col1=4, col2=4, col3=10, col4=10]
| fields - _time
| table date col1 col2 col3 col4

Thanks

renjith_nair · ‎07-18-2018

@splunkrocks2014 ,

Try this,

| makeresults 
 | eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
 | append [| makeresults 
 | eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
 | fields - _time
 | table date col1 col2 col3 col4
 | transpose|rename "row 1" as row1,"row 2" as row2
 | eval diff=if(column!="date",(row2-row1),null())
 | transpose header_field=column|fields - column|fillnull value=diff date

Happy Splunking!

How to calculate the difference between two rows with multiple fields?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!