Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get the differece between each events using streamstats?

Rajkumarkbm
Engager
‎02-20-2018 10:41 PM

I want to get the difference the events. Please find the below.

Eg:

Field1 Field2 Field3 Diff
ABC 200 CCBA 0
DEF 500 DFDG 0
ABC 600 WERT 400
DEF 200 ERTY -100
ABC 800 WERT 200
DEF 700 ERTY 500

How do I can get the result like the above.?

Tags (1)
0 Karma
Reply

HiroshiSatoh
Champion
‎02-21-2018 01:42 AM

Efficiency is bad because we perform the same search twice using JOIN. Since we are using sub search, there is a default number limit.

(your search)
|streamstats count as key by Field1
|join type=left Field1,key
     [search (your search)|table Field1 Field2|streamstats count as key  by Field1|eval key=key-1
          |rename Field2 as bf_Field2]
|eval Diff=Field2-bf_Field2| fillnull value=0 Diff
|table Field1 Field2 Field3 Diff
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...