Re: How to calculate the difference between two ro... - Splunk Community

Splunk Search

I have a search returns two rows of records (check the result from the following query):

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| fields - _time
| table date col1 col2 col3 col4

Is there a way to get the difference between the date from all the columns? Here is the expected result:

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| append [| makeresults 
| eval date="diff", col1=4, col2=4, col3=10, col4=10]
| fields - _time
| table date col1 col2 col3 col4

Thanks

@splunkrocks2014 ,

Try this,

| makeresults 
 | eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
 | append [| makeresults 
 | eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
 | fields - _time
 | table date col1 col2 col3 col4
 | transpose|rename "row 1" as row1,"row 2" as row2
 | eval diff=if(column!="date",(row2-row1),null())
 | transpose header_field=column|fields - column|fillnull value=diff date

---
What goes around comes around. If it helps, hit it with Karma 🙂

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...