Splunk Search

## Join events and evaluate difference price

Path Finder

Hi

I have data like this

I am joined uuid over market data together like that

But there is 4 times date column i want to show only one and i want to add price difference column like

Cex.io - koinim = 7280.10 - 7377.70 = 97.6 how can i achieve?

Tags (5)
1 Solution
SplunkTrust

You have three or more different markets at each point in time, so there are three or more different price differences. With a fourth market, there are six different price differences; with five, there are ten.

If I were you, for a dashboard, I would present two different panels, both using the same base search. The first panel would be the actual prices. The second would be the difference between the prices, in a specific order (you pick one).

``````sourcetype="coinmarketcap_csv" etc.etc.etc.
| eval market = upper(substr(market,1,3))
| eval {market} = price
| fields - vol* market
| stats first(_time) as _time values(*) as * range(price) as HILO by uuid
| fields - price
``````

The above gives you BTC, CEX, KOI and PAR as your four prices, with HILO as the difference between top and bottom prices.

This section calculates the six differences. This is largely redundant, because any 3 encode all the rest. If you select one of them, for example BTC, as the "standard", then everything else stands in relationship to that standard, and you would only need the first three lines.

``````| eval BTCCEX = BTC - CEX
| eval BTCKOI = BTC - KOI
| eval BTCPAR = BTC - PAR
| eval CEXKOI = CEX - KOI
| eval CEXPAR = CEX - PAR
| eval KOIPAR = KOI - PAR
``````

See if the above helps you get what you want.

SplunkTrust

You have three or more different markets at each point in time, so there are three or more different price differences. With a fourth market, there are six different price differences; with five, there are ten.

If I were you, for a dashboard, I would present two different panels, both using the same base search. The first panel would be the actual prices. The second would be the difference between the prices, in a specific order (you pick one).

``````sourcetype="coinmarketcap_csv" etc.etc.etc.
| eval market = upper(substr(market,1,3))
| eval {market} = price
| fields - vol* market
| stats first(_time) as _time values(*) as * range(price) as HILO by uuid
| fields - price
``````

The above gives you BTC, CEX, KOI and PAR as your four prices, with HILO as the difference between top and bottom prices.

This section calculates the six differences. This is largely redundant, because any 3 encode all the rest. If you select one of them, for example BTC, as the "standard", then everything else stands in relationship to that standard, and you would only need the first three lines.

``````| eval BTCCEX = BTC - CEX
| eval BTCKOI = BTC - KOI
| eval BTCPAR = BTC - PAR
| eval CEXKOI = CEX - KOI
| eval CEXPAR = CEX - PAR
| eval KOIPAR = KOI - PAR
``````

See if the above helps you get what you want.

Path Finder

It works thanks; but i want to learn how it is work

| eval market = upper(substr(market,1,3))
It takes first 3 charcter ok.
| eval {market} = price
what that mean { }
| fields - vol* market
it doesnt show vol and market

| stats first(_time) as _time values() as * range(price) as HILO by uuid
get first time as time ok
values(
) as * for what?
* range(price) as HILO by uuid and i dont understand?
| fields - price
dont show price

| eval BTCCEX = BTC - CEX
it works and also i am add

| eval BTCCEX = BTC - CEX | search BTCCEX > 50

SplunkTrust

The curly braces `{}` will take whatever value is in the variable and use that as the name of a new variable.

`stats values(test*) as val* by something` will take each variable that starts with test, and will create a variable that starts with val, that contains all the values (up to 100). So, for instance, `test1` becomes `val1`, `testfoo` becomes a variable `valfoo`.

`stats values(*) as *` will take every field that isn't already part of the `by` and roll together all the values (up to 100) into the same field name.

And that is the reason for the `fields -` command before it... I don't want the system to spend any CPU time on the fields I am getting rid of.

`range(price) as HILO` The `range()` is the difference between the highest and lowest values of something. In this case, the highest price and the lowest price. So that's your maximum delta. You didn't really ask for it, but I'd put it there when working through your needs, and never took it out after I figured that you had several prices.

The best way to understand what each line of code does is to start with the top selection criteria, add a `| head 10` to get the first ten records of data, and then add back one line at a time, and see how that line transforms the data. Seems like you did some of that. Well done in figuring out what you did.

Path Finder

everything is fine except curly brances`{ }`

I understand it is like an array we can put some variables into single variable?
Am i correct?

If i am wrong, that means it is only a new variable.
what is the differnce between

`eval {market} = price`
`eval market = price`

SplunkTrust

Which time you want to show (from which market)? Is the price diff columns (market names) are fixed?

Get Updates on the Splunk Community!