Splunk Search

## How to calculate values in two fields ?

Builder

hi,

My issue is I have a table like that :

 field 1 field 2 1 0 2 1 2 2 1 0

I want to create an third column that create the result of :

first line = field1 - field2=field3

second line = first line field3 + second line field1 -  second line field2=new field3

third line = second line field3 + third line field1 -  third line field2=new field3

etc...

 field 1 field 2 field 3 1 0 1 2 1 2 (1+2-1) 1 2 1 (2+1-2) 1 0 2 (1+1-0)

Can you help me ?

Thanks!

Labels (1)
• ### eval

1 Solution
SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

``````| eval change=IN-OUT
| streamstats sum(change) as f3``````
SplunkTrust
``````| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+field_1-field_2``````

The fillnull may be redundant

Builder

hi,

the result is wrong :

You can see that the field_3 is not correct because it must be LAST field_3+field IN - field OUT

the field_3 here just calculate field IN - field OUT.

example of line 5 : -2 (last field_3)+4-0=2 and not 4

Can we do that ?

SplunkTrust

Please share the query you used to get this result

Builder

| chart count(user) over _time by type
| autoregress field_3
| fillnull value=0 field_3_p1
| eval field_3=field_3_p1+IN-OUT

result :

SplunkTrust

I thought the autoregress would be dynamic - it isn't. Try

``````| eval change=IN-OUT
| streamstats sum(change) as f3``````
Builder

It is perfect !

Thank you !

Get Updates on the Splunk Community!

#### Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

#### There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...