Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the difference between the max value and the min value in the multi-value field combined by transaction?

Msugiyama
Path Finder
‎04-13-2022 06:32 AM

I want to find the difference between the maximum value and the minimum value in the multi-value field that has been lumped together with the transaction command.

Specifically, group the web access logs by ID, and then
I would like to find the time that the ID was operating from login to operation to logout.

Do you have an idea for SPL?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Msugiyama
Path Finder
‎04-13-2022 04:59 PM

|makeresults
|eval txnid=1234, value=40
|append [|makeresults |eval txnid=1234, value=20]
|transaction txnid |eval diff = abs(tonumber(mvindex(value, 0)) - tonumber(mvindex(value, 1)))
|table diff

@venky1544 
This is it!
Thank you so much. I solved it with this SPL.
Best regard.

@richgalloway 
Thank you too.
I will read the page that guided me.

Reply

venky1544
Builder
‎04-14-2022 02:28 AM

Hi @Msugiyama 

if the solutions has helped you  can you please accept it as solution as it might help others 

thanks

Njoy splunking

venky1544

0 Karma
Reply

venky1544
Builder
‎04-13-2022 08:47 AM

hi @Msugiyama 

if you could share some sample data thats would be great for more people to pitch in 

and are you asking two different questions here 

about the diff of the max and min value clubbed together by transaction command you can try something like this 

|makeresults |eval txnid=1234, value=40 |append [|makeresults |eval txnid=1234, value=20] |transaction txnid |eval diff = abs(tonumber(mvindex(value, 0)) - tonumber(mvindex(value, 1))) |table diff

 

venky1544_0-1649864675549.png

and about the group the web access logs by ID you can use the stats command

but would appreciate if you could throw more sample data 

 

if the reply helps karma points are appreciated 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2022 08:44 AM

Can you tell us more about this use case?  What is the query?  What type of data are you comparing?

Check out the mvstats app (https://splunkbase.splunk.com/app/5198/) for functions that work with multivalue fields.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...