Solved: Output fields based on values(current row) and val...

yuming1127 · ‎06-01-2021

Hi,

Im looking a way to eval values between 2 subsequence row. Please take a look on below.

my statictis table:

Product	quality
phone_a	40
phone_b	50
phone_c	40
phone_d	70

Expected output:

Product	quality	score_current_vs_previous
phone_a	40
phone_b	50	10
phone_c	40	-10
phone_d	70	30

As you can see, the score_current_vs_previous= quality(current row) - quality(previous row)

Appreciate your help, thanks.

bowesmana · ‎06-01-2021

See this example search using your data set. What you need is from streamstats command

| makeresults
| eval _raw="Product	quality
phone_a	40
phone_b	50
phone_c	40
phone_d	70"
| multikv forceheader=1 
| table Product quality
| streamstats window=1 current=f first(quality) as prev_quality
| eval score_current_vs_previous=quality-prev_quality
| table Product quality score_current_vs_previous

View solution in original post

bowesmana · ‎06-01-2021

See this example search using your data set. What you need is from streamstats command

| makeresults
| eval _raw="Product	quality
phone_a	40
phone_b	50
phone_c	40
phone_d	70"
| multikv forceheader=1 
| table Product quality
| streamstats window=1 current=f first(quality) as prev_quality
| eval score_current_vs_previous=quality-prev_quality
| table Product quality score_current_vs_previous

yuming1127 · ‎06-14-2021

Great one thanks

Output fields based on values(current row) and values(previous row)

eval

fields

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation