Splunk Search

## How to calculate values in two fields ?

Builder

hi,

My issue is I have a table like that :

 field 1 field 2 1 0 2 1 2 2 1 0

I want to create an third column that create the result of :

first line = field1 - field2=field3

second line = first line field3 + second line field1 -  second line field2=new field3

third line = second line field3 + third line field1 -  third line field2=new field3

etc...

 field 1 field 2 field 3 1 0 1 2 1 2 (1+2-1) 1 2 1 (2+1-2) 1 0 2 (1+1-0)

Can you help me ?

Thanks!

Labels (1)
• ### eval

1 Solution
SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

| eval change=IN-OUT
| streamstats sum(change) as f3
SplunkTrust
| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+field_1-field_2

The fillnull may be redundant

Builder

hi,

the result is wrong :

You can see that the field_3 is not correct because it must be LAST field_3+field IN - field OUT

the field_3 here just calculate field IN - field OUT.

example of line 5 : -2 (last field_3)+4-0=2 and not 4

Can we do that ?

SplunkTrust

Please share the query you used to get this result

Builder

| chart count(user) over _time by type
| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+IN-OUT

result :

SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

| eval change=IN-OUT
| streamstats sum(change) as f3
Builder

It is perfect !

Thank you !

Get Updates on the Splunk Community!

#### Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

#### Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

#### .conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...