Splunk Search

How to write a search to create a column that will produce results based on another column's data?

payal23
Path Finder
Column1    Column2
28         28
46         46-28
58         58-(28+46)
89         89-(28+46+58)

Is this possible? If yes, plz suggest how to write a search for this.

Thanks,
Payal

0 Karma

aholzer
Motivator

This should do what you need:

... | streamstats sum(column1) AS cum_total | eval cum_total = cum_total - column1| eval column2 = column1 - cum_total | fields - cum_total

Explanation:

  • streamstats sum(column1) AS cum_total = will calculate the cumulative total including the value of column1
  • eval cum_total = cum_total - column1 = removes the value of column1 from the cum_total
  • eval column2 = column1 - cum_total = calculates the value of column2 for you
  • fields - cum_total = removes the cum_total column from your results

Hope this helps

--- EDIT ---

Just had another thought. You might be able to solve this with the delta command. Go here for details.

0 Karma

piUek
Path Finder
0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...