Splunk Search

## How to calculate values in two fields ?

Builder

hi,

My issue is I have a table like that :

 field 1 field 2 1 0 2 1 2 2 1 0

I want to create an third column that create the result of :

first line = field1 - field2=field3

second line = first line field3 + second line field1 -  second line field2=new field3

third line = second line field3 + third line field1 -  third line field2=new field3

etc...

 field 1 field 2 field 3 1 0 1 2 1 2 (1+2-1) 1 2 1 (2+1-2) 1 0 2 (1+1-0)

Can you help me ?

Thanks!

Labels (1)
• ### eval

1 Solution
SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

``````| eval change=IN-OUT
| streamstats sum(change) as f3``````
SplunkTrust
``````| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+field_1-field_2``````

The fillnull may be redundant

Builder

hi,

the result is wrong :

You can see that the field_3 is not correct because it must be LAST field_3+field IN - field OUT

the field_3 here just calculate field IN - field OUT.

example of line 5 : -2 (last field_3)+4-0=2 and not 4

Can we do that ?

SplunkTrust

Please share the query you used to get this result

Builder

I just add your commands after my chart command :

| chart count(user) over _time by type
| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+IN-OUT

result :

SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

``````| eval change=IN-OUT
| streamstats sum(change) as f3``````
Builder

It is perfect !

Thank you !

Get Updates on the Splunk Community!

#### .conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

#### Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

#### Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...