How to subtract filed values in a column

ezamit · ‎01-31-2024

I have AWS Cloudtrail data and want to find out how long an EC2 instance was stopped. Is it possible to subtract the EpochOT from Row 3 to Row 2 and Row 5 to Row 4 etc..

ezamit · ‎01-31-2024

😀Thanks Guys. it is working !!!!😀

gcusello · ‎01-31-2024

Hi @ezamit ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎01-31-2024

Hi @ezamit,

di you explored the delta command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta)?

Ciao.

Giuseppe

ezamit · ‎01-31-2024

Thanks @gcusello . That's a great suggestion. I added | delta EpochOT p=1 to the search and it gave me the following results

Is there a way we can do every other row in delta. I want Row 3 - Row 2, Row 5 - Row 4, Row 7 - Row 6 etc. Thanks again for your help

gcusello · ‎01-31-2024

Hi @ezamit,

the solution from @ITWhisperer is perfect!

Ciao.

Giuseppe

ITWhisperer · ‎01-31-2024

| eval "delta(EpochOT)" = if(NO % 2 = 0, null(), 'delta(EpochOT)')

How to subtract filed values in a column

eval

fields

table

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

How to subtract filed values in a column

eval

fields

table

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!