How to calculate the difference between two rows w... - Splunk Community

Splunk Search

I have a search returns two rows of records (check the result from the following query):

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| fields - _time
| table date col1 col2 col3 col4

Is there a way to get the difference between the date from all the columns? Here is the expected result:

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| append [| makeresults 
| eval date="diff", col1=4, col2=4, col3=10, col4=10]
| fields - _time
| table date col1 col2 col3 col4

Thanks

@splunkrocks2014 ,

Try this,

| makeresults 
 | eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
 | append [| makeresults 
 | eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
 | fields - _time
 | table date col1 col2 col3 col4
 | transpose|rename "row 1" as row1,"row 2" as row2
 | eval diff=if(column!="date",(row2-row1),null())
 | transpose header_field=column|fields - column|fillnull value=diff date

---
What goes around comes around. If it helps, hit it with Karma 🙂

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Thursday, July 9, 2026 | 11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...