Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display the value of the difference result in Splunk?

vdalvi
Explorer
‎06-03-2020 03:00 PM

Hi,

How can I display the actual value of the difference in a new column? The value is "cts16k1sacc".
Row 1 in attached screenshot....

I want to be able to display the actual value of my cmtsID besides the difference column for example column name "Added" or "Removed" to reflect the Difference numeric value

Preview file
8 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 05:30 PM

Please use more words to describe your problem. The screen shot shows a "difference" column already and doesn't have "cts16k1sacc" in it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vdalvi
Explorer
‎06-03-2020 05:45 PM

Hi Rich, not sure why my original post didnt allow me to write a long post.

So yes as we see in row 1 the Difference of Today - Yesterday = 1. In my splunk search logs it reflects to a value of "cts16k1sacc" which was received new today. I wanted to check how can I display the actual values in a new column besides the calculated difference i.e "cts16k1sacc". So I can look at the table and say it was new value today. I plan to implement this on a much larger scale but started small with just first row for now...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 05:35 AM

Please share your search and some sample data so we can see how the results are produced.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vdalvi
Explorer
‎06-04-2020 08:19 AM

HI Rich,

Below is search output

Enabled Today Yesterday Difference
0.0 7 17 -10
1.0 3547 3749 -202

I would like to see the values that "10" and "202" correspond to in a new column say Added and Removed (since above are negative drop from yesterday they would be under Removed)

Below is the sample event output as well

6/4/20
7:39:52.000 AM

2020-06-04 07:39:52 [properties-data-container-10-C-1] INFO c.s.n.n.consumer.Receiver - topicName = properties.cmts, fqdn = mailhi0101m.hawaii.rr.com , enabled = 0.0
host = * source = /var/notes/noc/noc-properties-consumer.logsourcetype = noc-data-consumertopicName = properties.cmts

6/4/20
7:39:52.000 AM

2020-06-04 07:39:52 [properties-data-container-1-C-1] INFO c.s.n.n.consumer.Receiver - topicName = properties.cmts, fqdn = mailhi0102m.hawaii.rr.com , enabled = 0.0
host = * source = /var/notes/noc/noc-properties-consumer.logsourcetype = noc-data-consumertopicName = properties.cmts

I would like to see the value of fqdn in the Added or Removed Column as its unique and will tell me new fqdn Added or Removed

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

   Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...