Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

manipulating different table rows

Ctpelster
Engager
‎01-17-2022 02:55 AM

Hi, 

I want to create the following excel table using splunk. The first 3 columns are based on the output of a query, something like this: 
<query>index=mfpublic sourcetype=SMF100 IFCID=1 DB2_SHARING_GROUP_NAME=$ssid_tok$ DB2_SUBSYSTEM="DBXH"
| table _time DB2_SSID CPU_accumulated
</query>
The last column is the result of a math operation between first row and second row. Using Excel, column D has the formula: C2-C3 in the first row, then C3-C4 in the second, then C4-C5, and so on. 

(A) Time(B) DB2_SSID(C) CPU_accumulated(D) Difference
17-1-2022 11:20DBXH35536318819569
17-1-2022 11:19DBXH35534361919437
17-1-2022 11:18DBXH35532418221579
17-1-2022 11:17DBXH35530260322657
17-1-2022 11:16DBXH35527994619793
17-1-2022 11:15DBXH355260153-

 

Is it possible to do this math operation between columns from different rows to create another column ? 

After having this "column D" I want to create a line chart based on this information. 

Thanks a lot for your help !! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse
0 Karma
Reply
Solved! Jump to solution

Ctpelster
Engager
‎01-17-2022 07:25 AM

Yes, it worked ! thank you. 

I changed the sort option in the query, instead of using the reverse you suggested. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...