Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create difference of two values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
09:53 AM
Q1: How can I get c4 where c4 will always be the difference of values in c3 against max of c2 - min of c2
For example: Here c4 for A = 677-76
Please guide.
c c2 c3
A 1 76
A 2 7
A 3 6
A 4 677
B 1 65
B 2 675
B 3 90
B 4 78
C 1 121
C 2 56
C 3 54
C 4 67
D 1 56
D 2 6
D 3 5
D 4 657
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
06-04-2019
10:55 AM
@reverse
<your query>| sort c c2
| stats first(c3) as first, last(c3) as last by c
| eval c4=last - first
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
06-04-2019
10:55 AM
@reverse
<your query>| sort c c2
| stats first(c3) as first, last(c3) as last by c
| eval c4=last - first
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
11:00 AM
This worked but i had to add eventstats. .. was getting blank with stats
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
06-04-2019
11:03 AM
Good to know. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
11:03 AM
Thanks a ton @Vijeta .. Kindly help here as well..
https://answers.splunk.com/answers/750417/playing-with-data-ii.html?minQuestionBodyLength=80
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmorris_splunk
Splunk Employee
06-04-2019
10:38 AM
Try something like this:
index="yourindex" sourcetype="yoursourcetype"
| stats max(c3) as max min(c3) as min by c
| eval c4=max-min
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:43 AM
Please see the example
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmorris_splunk
Splunk Employee
06-04-2019
10:50 AM
Is this what you were looking for?
index="yourindex" sourcetype="yoursourcetype"
| eventstats min(c3) as min max(c3) as max by c
| eval c4=max-min
| table c c2 c3 c4
| sort c c2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:42 AM
This is not producing the intended results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:01 AM
@Vijeta please guide.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
06-04-2019
10:23 AM
@reverse try using delta command and see if that works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:33 AM
Tried that .. it is continuing for all rows .. i want it by c1.. delta is not taking by clause
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
06-04-2019
10:41 AM
@reverse ok I see you changed the question. Try below
<your query>
| stats max(c3) as max, min(c3) as min by c
| eval c4=max-min
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:46 AM
Not producing the intended result..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:48 AM
I need the difference of c2 against c3 values as mentioned in the example
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reverse
Contributor
06-04-2019
10:30 AM
Could you please post an example.. dont know that command..thank you
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
