Splunk Search

How to subtract 2 column values and create a new column with the result in a chart?

boingodevin
Engager

Hello, I have a chart I am trying to create that splits data based on another field. IE:

  .... |  stats count by Airport status | chart sum(count) over Airport by status

Which gives the chart:
| Airport | Started | Error | Complete |
----------------------------------
| LAX | 43 | 13 | 15 |
| JFK | 31 | 22 | 9 |
| ORD | 43 | 19 | 17 |
| AUS | 54 | 15 | 18 |
| CDG | 325 | 13 | 90 |
| SFO | 248 | 3 | 133 |
----------------------------------

What I would like to do is create a new column with the value consisting of one column value minus another column value. So taking the example above, I want to create a new column called "Dropped" and do the following math:

Dropped = started - (error+complete)

Essentially creating:
| Airport | Started | Error | Complete | Dropped
----------------------------------
| LAX | 43 | 13 | 15 | 5 |
| JFK | 31 | 22 | 9 |0 |
| ORD | 43 | 19 | 17 | 7 |
| AUS | 54 | 15 | 18 | 21 |
| CDG | 325 | 13 | 90 | 222 |
| SFO | 137 | 3 | 133 | 1 |
----------------------------------

0 Karma
1 Solution

boingodevin
Engager

Nevermind I figured this out. It's pretty simple via the | eval Dropped=(started - (Error+Complete))

View solution in original post

boingodevin
Engager

Nevermind I figured this out. It's pretty simple via the | eval Dropped=(started - (Error+Complete))

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...