delta is still empty 😞

_time               SerialNumber  Front  Rear                 delta
2019-01-23 11:48:18 570123    2776    2766   
2019-01-23 11:49:18 570123    2948    2941   
2019-01-23 11:50:19 570123    2940    2938   
2019-01-23 11:51:19 570123    2930    2934   
2019-01-23 11:52:20 570123    2921    2931   
2019-01-23 11:53:20 570123    2912    2925   

If merging the rows using the stats command works as expected (which your sample output seems to suggest), then there is no reason that eval part wouldn't work. Can you perhaps post a screenshot that shows the query and the output (mask sensitive details if needed)?

Unless the way you extract the Front and Rear values causes those fields to contain whitespace (which means they are not numeric). Perhaps change the .+ in your regex to \d+.

unfortunately i don't have enough karma points to upload images
but changing .+ to \d+ returning Front and Rear empty

You can always post a link to an image uploaded to some random imagehost 🙂

That seems to suggest the raw data perhaps contains more than 1 space before the number? Can you post some raw data? Or perhaps try this regex (similar for the other):

| rex "Current temp Front block =\s+(?<Front>\d+)"

work like a charm !! thanks !!!!!!!
can you add your answer as answer and not comment so i will be able to accept it ?

Great!

You can mark my answer as accepted, the remaining part of the solution (fixing the regex) are comments under that same answer 🙂

https://answers.splunk.com/answering/735899/view.html

do you have any idea how to solve it ?

this is the error i get:

The specified span would result in too many (>50000) rows.

and also delta is still empty and SerialNumber got empty and the timestamp become without hour:

_time   SerialNumber    Front   Rear    delta
2019-01-23        2781    2791   
2019-01-24        2857    2865   
2019-01-25        2760    2769 

it is exactly what i did and said that gap is empty 🙂

delta is empty

this is how the table looks like

Front   Rear    delta
  2789       
            2797     
  2788       
            2797     

Are the values numeric??
What values does the table produce for Front and Rear?

i pasted an example of the data
the values are numeric

for example :
Front = 2789
Rear = 2797

maybe the problem is that each raw in the table contains only one of the values ?

Front   Rear    delta
  2789       
          2797   
  2788       
          2797   

Oh, they are separate events! that's why.
Is there anything common to both events which relates them?
Something like a host/device name or ID?

i can extract SerialNumber

also, i have this 2 values every minute, i need to check the gap for each minute so if:

_time   SerialNumber    Front   Rear    delta
2019-03-07 11:17:26 570123    2789       
2019-03-07 11:17:26 570123        2797   
2019-03-07 11:16:26 570123    2788       
2019-03-07 11:16:26 570123        2797   

i will have to check it once for 11:17 and once for 11:16

Because you have your values in different events you need to combine them into one event somehow

| makeresults count=12 
| eval SerialNumber="thesameserial1234" 
| streamstats count 
| eval _time=_time+(floor(count/2))*60
| eval Front=if(count%2=0, null(), count) 
| eval Rear=if(count%2=0, count, null()) 
| bin _time span=1m 
| stats values(Front) AS Front values(Rear) AS Rear BY _time SerialNumber 
| eval gap=abs(Front-Rear)

| makeresults count=12 
| eval SerialNumber="thesameserial1234" 
| streamstats count 
| eval _time=_time+(floor(count/2))*60
| eval Front=if(count%2=0, null(), count) 
| eval Rear=if(count%2=0, count, null()) 
| transaction maxspan=1m  _time SerialNumber