Splunk Search

How to calculate values in two fields ?

mah
Builder

hi,

My issue is I have a table like that :

field 1field 2 
10
21
22
10

 

I want to create an third column that create the result of :

first line = field1 - field2=field3

second line = first line field3 + second line field1 -  second line field2=new field3

third line = second line field3 + third line field1 -  third line field2=new field3

etc...

field 1field 2field 3
101
212 (1+2-1)
121 (2+1-2)
102 (1+1-0)

 

Can you help me ? 

Thanks!

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

| eval change=IN-OUT
| streamstats sum(change) as f3

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+field_1-field_2

The fillnull may be redundant

0 Karma

mah
Builder

hi,

the result is wrong :

mah_0-1602746220634.png

You can see that the field_3 is not correct because it must be LAST field_3+field IN - field OUT

the field_3 here just calculate field IN - field OUT.

example of line 5 : -2 (last field_3)+4-0=2 and not 4

Can we do that ?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the query you used to get this result

0 Karma

mah
Builder

I just add your commands after my chart command : 

| chart count(user) over _time by type
| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+IN-OUT

result : 

mah_0-1602747003390.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

| eval change=IN-OUT
| streamstats sum(change) as f3

mah
Builder

It is perfect ! 

Thank you ! 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...