Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

manipulating different table rows

Ctpelster
Engager
‎01-17-2022 02:55 AM

Hi, 

I want to create the following excel table using splunk. The first 3 columns are based on the output of a query, something like this: 
<query>index=mfpublic sourcetype=SMF100 IFCID=1 DB2_SHARING_GROUP_NAME=$ssid_tok$ DB2_SUBSYSTEM="DBXH"
| table _time DB2_SSID CPU_accumulated
</query>
The last column is the result of a math operation between first row and second row. Using Excel, column D has the formula: C2-C3 in the first row, then C3-C4 in the second, then C4-C5, and so on. 

(A) Time(B) DB2_SSID(C) CPU_accumulated(D) Difference
17-1-2022 11:20DBXH35536318819569
17-1-2022 11:19DBXH35534361919437
17-1-2022 11:18DBXH35532418221579
17-1-2022 11:17DBXH35530260322657
17-1-2022 11:16DBXH35527994619793
17-1-2022 11:15DBXH355260153-

 

Is it possible to do this math operation between columns from different rows to create another column ? 

After having this "column D" I want to create a line chart based on this information. 

Thanks a lot for your help !! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse
0 Karma
Reply
Solved! Jump to solution

Ctpelster
Engager
‎01-17-2022 07:25 AM

Yes, it worked ! thank you. 

I changed the sort option in the query, instead of using the reverse you suggested. 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...