Solved: How to subtract 2 column values and create a new c...

boingodevin · ‎06-23-2015

Hello, I have a chart I am trying to create that splits data based on another field. IE:

  .... |  stats count by Airport status | chart sum(count) over Airport by status

Which gives the chart:
| Airport | Started | Error | Complete |
----------------------------------
| LAX | 43 | 13 | 15 |
| JFK | 31 | 22 | 9 |
| ORD | 43 | 19 | 17 |
| AUS | 54 | 15 | 18 |
| CDG | 325 | 13 | 90 |
| SFO | 248 | 3 | 133 |
----------------------------------

What I would like to do is create a new column with the value consisting of one column value minus another column value. So taking the example above, I want to create a new column called "Dropped" and do the following math:

Dropped = started - (error+complete)

Essentially creating:
| Airport | Started | Error | Complete | Dropped
----------------------------------
| LAX | 43 | 13 | 15 | 5 |
| JFK | 31 | 22 | 9 |0 |
| ORD | 43 | 19 | 17 | 7 |
| AUS | 54 | 15 | 18 | 21 |
| CDG | 325 | 13 | 90 | 222 |
| SFO | 137 | 3 | 133 | 1 |
----------------------------------

boingodevin · ‎06-23-2015

Nevermind I figured this out. It's pretty simple via the | eval Dropped=(started - (Error+Complete))

View solution in original post

boingodevin · ‎06-23-2015

Nevermind I figured this out. It's pretty simple via the | eval Dropped=(started - (Error+Complete))

How to subtract 2 column values and create a new column with the result in a chart?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to subtract 2 column values and create a new column with the result in a chart?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR