Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search to subtract a token from the previous value in a row

kishan2356
Explorer
‎03-21-2022 02:39 PM

Hello,

 

I need to build a search where I can subtract a token from the previous value in a row. Example

I know how to get the first count (800) which is simply calculated through a query I already have. I do not know how to get the token to subtract from the value of the cell right above. Does anyone who how to write this into Splunk query logic that can compute these values?

_time

Count

Notes

05:00

800

Saved token = 100

05:05

700

800-100

05:10

600

700-100
Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-21-2022 06:08 PM

Here are three examples, using autoregress, delta and streamstats.

streamstats is the most powerful and will be needed if you want to split by any field, but the others are simplke options.

autoregress will simply put a value from one event into another and then you can do the cals

Look at this example - up to the autoregress is just data setup for the example. I am not sure if you want the negative or positive diff - but have a play.

| makeresults
| eval _raw="time,Count,Notes
05:00,800,Saved token = 100
05:05,700,800-100
05:10,600,700-100"
| multikv forceheader=1
| table time Count Notes
| autoregress Count as AR_Count
| eval AR_Diff=AR_Count-Count
| streamstats window=2 range(Count) as SS_Diff
| delta Count as D_Diff

 

Reply

kishan2356
Explorer
‎03-24-2022 08:18 AM

I should add that time bins are selected through a time picker so they can't be saved times in the query. Can we work around this?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-28-2022 02:59 PM

Not sure what you mean here by time bins. You can set the time range for the search in the search itself with the earliest=X latest=Y search criteria.

Perhaps you can give some more detail on your data and how you are currently getting from your data to your example.

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...