Splunk Search

## How to find difference between two events with streamstats?

Communicator

I have search as follow:

``````index=someindex_01 | stats count as incoming_counts by incoming_date | table incoming_counts incoming_date | appendcols [search index=someindex_01 | stats count as outgoing_counts by outgoing_date | table outgoing_counts ] | eval difference=incoming_counts-outgoing_counts | streamstats sum(difference) as accumulated_difference
``````

Results as follow:

``````incoming_date   incoming_counts   outgoing_counts   difference   accumulated_difference
12/01/2015          230            186           44             44
12/02/2015          176            252          -76               -32
12/03/2015          188            204          -16               -48  <== this is where it starts the error
12/04/2015          142             86           56              8
12/05/2015          70             115           -45              -37
12/06/2015          133            367         -234             -271
``````

If you notice, streamstats as 'accumulated_difference' gives error value on its results when sum two negative value. Any advise whether my understanding of streamstats was wrong or it is a defect?

Tags (4)
1 Solution
Legend

-48 is the correct answer. The math is `(-32) + (-16)`. Think of it like a cumulative total. If you want difference between only 2 rows, then look at the `window` option

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats

Legend

-48 is the correct answer. The math is `(-32) + (-16)`. Think of it like a cumulative total. If you want difference between only 2 rows, then look at the `window` option

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats

Communicator

Hey @sundareshr,

window option is working on my case. Appreciate that!