Solved: How to dynamically subtract two last column values...

chrisboy68 · ‎05-02-2022

Hi, have SPL that generates months of data. I want subtract just the last two columns. The fields will change month to month, so I can't hard code.

Given the below sample, how can I get lastMonthDiff without hardcoding the field values? Thank you! Chris

| makeresults 
| eval "2202-01"=1 
| eval "2202-02"=2 
| eval "2202-03"=5 
| eval "2202-04"=4 
| append 
    [| makeresults 
    | eval "2202-01"=4 
    | eval "2202-02"=5 
    | eval "2202-03"=7 
    | eval "2202-04"=3
        ] 
| append 
    [| makeresults 
    | eval "2202-01"=5 
    | eval "2202-02"=2 
    | eval "2202-03"=7 
    | eval "2202-04"=9
        ] 
| fields - _time |foreach *  [eval lastMonthDiff = '2202-03' - '2202-04']

ITWhisperer · ‎05-02-2022

| foreach *
    [| eval diff=if(isnull(previous),null(),previous-'<<FIELD>>')
    | eval previous='<<FIELD>>']

View solution in original post

ITWhisperer · ‎05-02-2022

| foreach *
    [| eval diff=if(isnull(previous),null(),previous-'<<FIELD>>')
    | eval previous='<<FIELD>>']

chrisboy68 · ‎05-02-2022

Awesome, thank you!

How to dynamically subtract two last column values?

table

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...