Splunk Search

How to check which value is larger than the other and calculate the gap between them?

sarit_s
Communicator

Hi
I have two values that i need to check which one of them is bigger and calculate the gap between them
how can i do it ?
i tried this :

| rex "Current temp Front block = (?<Front>.+)" | rex "Current temp Rear block = (?<Rear>.+)"|eval gap=coalesce(Front>Rear, Front-Rear, Rear-Front) |table Front Rear gap

But gap is returning empty

0 Karma
1 Solution

FrankVl
Ultra Champion

Assuming you have serialnumber, Front and Rear extracted, just add the following to your search:

| stats max(Front) as Front max(Rear) as Rear by _time,serialnumber | eval delta=abs(Front-Rear)

The stats command combines the two rows with same time and serialnumber, the eval calculates the delta (using abs, so result is always positive and you don't need to first check which one is bigger).

A search incl. your sample data to demonstrate it works:

| makeresults | eval serialnumber=570123 | eval Front=2788
| append [ | makeresults | eval serialnumber=570123 | eval Rear=2797  ]
| append [ | makeresults | eval serialnumber=570123 | eval Front=2789 | eval _time=_time+60  ]
| append [ | makeresults | eval serialnumber=570123 | eval Rear=2797 | eval _time=_time+60  ]
| stats max(Front) as Front max(Rear) as Rear by _time,serialnumber | eval delta=abs(Front-Rear)

View solution in original post

0 Karma

sarit_s
Communicator

this is the result i got :
Front Rear _raw _time closed_txn count duration eventcount field_match_sum linecount
12 2019-03-24 16:28:11 0 12 0 1 1 1
11 10

2019-03-24 16:27:11 0

10
11
0 2 2 2
9 8

2019-03-24 16:26:11 0

8
9
0 2 2 2
7 6

2019-03-24 16:25:11 0

6
7
0 2 2 2

no idea what is going on there
maybe you can explain to me the search command ?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...