How to write a search to create a column that will...

payal23 · ‎11-02-2015

Column1    Column2
28         28
46         46-28
58         58-(28+46)
89         89-(28+46+58)

Is this possible? If yes, plz suggest how to write a search for this.

Thanks,
Payal

aholzer · ‎11-02-2015

This should do what you need:

... | streamstats sum(column1) AS cum_total | eval cum_total = cum_total - column1| eval column2 = column1 - cum_total | fields - cum_total

Explanation:

streamstats sum(column1) AS cum_total = will calculate the cumulative total including the value of column1
eval cum_total = cum_total - column1 = removes the value of column1 from the cum_total
eval column2 = column1 - cum_total = calculates the value of column2 for you
fields - cum_total = removes the cum_total column from your results

Hope this helps

--- EDIT ---

Just had another thought. You might be able to solve this with the delta command. Go here for details.

piUek · ‎11-02-2015

How to write a search to create a column that will produce results based on another column's data?