Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

manipulating different table rows

Ctpelster
Engager
‎01-17-2022 02:55 AM

Hi, 

I want to create the following excel table using splunk. The first 3 columns are based on the output of a query, something like this: 
<query>index=mfpublic sourcetype=SMF100 IFCID=1 DB2_SHARING_GROUP_NAME=$ssid_tok$ DB2_SUBSYSTEM="DBXH"
| table _time DB2_SSID CPU_accumulated
</query>
The last column is the result of a math operation between first row and second row. Using Excel, column D has the formula: C2-C3 in the first row, then C3-C4 in the second, then C4-C5, and so on. 

(A) Time(B) DB2_SSID(C) CPU_accumulated(D) Difference
17-1-2022 11:20DBXH35536318819569
17-1-2022 11:19DBXH35534361919437
17-1-2022 11:18DBXH35532418221579
17-1-2022 11:17DBXH35530260322657
17-1-2022 11:16DBXH35527994619793
17-1-2022 11:15DBXH355260153-

 

Is it possible to do this math operation between columns from different rows to create another column ? 

After having this "column D" I want to create a line chart based on this information. 

Thanks a lot for your help !! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse
0 Karma
Reply
Solved! Jump to solution

Ctpelster
Engager
‎01-17-2022 07:25 AM

Yes, it worked ! thank you. 

I changed the sort option in the query, instead of using the reverse you suggested. 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...