Re: How to calculate the difference between two ro... - Splunk Community

Splunk Search

I have a search returns two rows of records (check the result from the following query):

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| fields - _time
| table date col1 col2 col3 col4

Is there a way to get the difference between the date from all the columns? Here is the expected result:

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| append [| makeresults 
| eval date="diff", col1=4, col2=4, col3=10, col4=10]
| fields - _time
| table date col1 col2 col3 col4

Thanks

@splunkrocks2014 ,

Try this,

| makeresults 
 | eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
 | append [| makeresults 
 | eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
 | fields - _time
 | table date col1 col2 col3 col4
 | transpose|rename "row 1" as row1,"row 2" as row2
 | eval diff=if(column!="date",(row2-row1),null())
 | transpose header_field=column|fields - column|fillnull value=diff date

---
What goes around comes around. If it helps, hit it with Karma 🙂

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...