Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Output fields based on values(current row) and values(previous row)

yuming1127
Path Finder
‎06-01-2021 08:06 PM

Hi,

Im looking a way to eval values between 2 subsequence row. Please take a look on below.


my statictis table:

Product quality
phone_a40
phone_b50
phone_c40
phone_d70


Expected output:

Product qualityscore_current_vs_previous
phone_a40 
phone_b5010
phone_c40-10
phone_d7030


As you can see, the score_current_vs_previous= quality(current row) - quality(previous row)

Appreciate your help, thanks.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-01-2021 08:37 PM

See this example search using your data set. What you need is from streamstats command

| makeresults
| eval _raw="Product	quality
phone_a	40
phone_b	50
phone_c	40
phone_d	70"
| multikv forceheader=1 
| table Product quality
| streamstats window=1 current=f first(quality) as prev_quality
| eval score_current_vs_previous=quality-prev_quality
| table Product quality score_current_vs_previous

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-01-2021 08:37 PM

See this example search using your data set. What you need is from streamstats command

| makeresults
| eval _raw="Product	quality
phone_a	40
phone_b	50
phone_c	40
phone_d	70"
| multikv forceheader=1 
| table Product quality
| streamstats window=1 current=f first(quality) as prev_quality
| eval score_current_vs_previous=quality-prev_quality
| table Product quality score_current_vs_previous
Reply
Solved! Jump to solution

yuming1127
Path Finder
‎06-14-2021 08:35 PM

Great one thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...