How to get the differece between each events using... - Splunk Community

Splunk Search

I want to get the difference the events. Please find the below.

Eg:

Field1 Field2 Field3 Diff
ABC 200 CCBA 0
DEF 500 DFDG 0
ABC 600 WERT 400
DEF 200 ERTY -100
ABC 800 WERT 200
DEF 700 ERTY 500

How do I can get the result like the above.?

Efficiency is bad because we perform the same search twice using JOIN. Since we are using sub search, there is a default number limit.

(your search)
|streamstats count as key by Field1
|join type=left Field1,key
     [search (your search)|table Field1 Field2|streamstats count as key  by Field1|eval key=key-1
          |rename Field2 as bf_Field2]
|eval Diff=Field2-bf_Field2| fillnull value=0 Diff
|table Field1 Field2 Field3 Diff

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...