How to calculate the difference between two rows w...

splunkrocks2014 · ‎07-18-2018

I have a search returns two rows of records (check the result from the following query):

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| fields - _time
| table date col1 col2 col3 col4

Is there a way to get the difference between the date from all the columns? Here is the expected result:

| makeresults 
| eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
| append [| makeresults 
| eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
| append [| makeresults 
| eval date="diff", col1=4, col2=4, col3=10, col4=10]
| fields - _time
| table date col1 col2 col3 col4

Thanks

renjith_nair · ‎07-18-2018

@splunkrocks2014 ,

Try this,

| makeresults 
 | eval date="2018-07-16", col1=4, col2=5, col3=6, col4=7
 | append [| makeresults 
 | eval date="2018-07-17", col1=8, col2=9, col3=16, col4=17]
 | fields - _time
 | table date col1 col2 col3 col4
 | transpose|rename "row 1" as row1,"row 2" as row2
 | eval diff=if(column!="date",(row2-row1),null())
 | transpose header_field=column|fields - column|fillnull value=diff date

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to calculate the difference between two rows with multiple fields?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?