Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Substract values of two columns and display the difference in third column?

rashidjorvee
New Member
‎04-23-2018 09:35 PM

I have a table which have fields Rank, City, Population _2001, Population _2011. Now I want to find the growth in population for respective cities. I try fetching the growth with "eval growth=P2011-P2001", but it didn't work. Please suggest some way to achieve this.

Search Query: index="rashid" City=A* AND "Population _2001">="100000" | table Rank, City, "Population _2001", "Population _2011" |rename "Population _2001" as P2001|rename "Population _2011" as P2011| eval growth=P2011-P2001

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-24-2018 06:58 AM

I think the problem is the values are seen as strings because of commas,
add the following before your eval to convert strings to numbers:

| convert num(P2001) num(P2011)

View solution in original post

Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-24-2018 07:04 AM

The reason why the values are not subtracted because of "," in the number make splunk to consider them as string and unable to do the caluclation .

For this we need to convert the fields to number so that "," will be removed and then eval diff = p1 - p2

For example

|makeresults |eval p1 = "2,000;1,000" |eval p2= "10,00;2,000" | eval p1 = split(p1,";") |eval p2 = split(p2, ";") |mvexpand p1 |mvexpand p2 |convert num(p*) |eval diff = p1-p2

Reply
Solved! Jump to solution

rashidjorvee
New Member
‎05-02-2018 07:46 AM

Thank you for your explanation. @ssadanala1
When I converted that field in a number those commas [,] has been removed and then my query is working fine and returning expected result.

0 Karma
Reply
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-24-2018 06:58 AM

I think the problem is the values are seen as strings because of commas,
add the following before your eval to convert strings to numbers:

| convert num(P2001) num(P2011)
Reply
Solved! Jump to solution

damien_chillet
Builder
‎04-24-2018 07:00 AM

Also, worth saying that your filter >= 100000 does not seem to work because Aurangabad is in the results and has 79,393 inhabitants.
You will have to create a calculated field to remediate that.

0 Karma
Reply
Solved! Jump to solution

rashidjorvee
New Member
‎05-02-2018 07:44 AM

Yes, this filter is not working as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...