Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

manipulating different table rows

Ctpelster
Engager
‎01-17-2022 02:55 AM

Hi, 

I want to create the following excel table using splunk. The first 3 columns are based on the output of a query, something like this: 
<query>index=mfpublic sourcetype=SMF100 IFCID=1 DB2_SHARING_GROUP_NAME=$ssid_tok$ DB2_SUBSYSTEM="DBXH"
| table _time DB2_SSID CPU_accumulated
</query>
The last column is the result of a math operation between first row and second row. Using Excel, column D has the formula: C2-C3 in the first row, then C3-C4 in the second, then C4-C5, and so on. 

(A) Time(B) DB2_SSID(C) CPU_accumulated(D) Difference
17-1-2022 11:20DBXH35536318819569
17-1-2022 11:19DBXH35534361919437
17-1-2022 11:18DBXH35532418221579
17-1-2022 11:17DBXH35530260322657
17-1-2022 11:16DBXH35527994619793
17-1-2022 11:15DBXH355260153-

 

Is it possible to do this math operation between columns from different rows to create another column ? 

After having this "column D" I want to create a line chart based on this information. 

Thanks a lot for your help !! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 03:06 AM

You can use streamstats only you would need to reverse the order of your events (from your example)

| makeresults
| eval _raw="Time	DB2_SSID	CPU_accumulated	Difference
17-1-2022 11:20	DBXH	355363188	19569
17-1-2022 11:19	DBXH	355343619	19437
17-1-2022 11:18	DBXH	355324182	21579
17-1-2022 11:17	DBXH	355302603	22657
17-1-2022 11:16	DBXH	355279946	19793
17-1-2022 11:15	DBXH	355260153	-"
| multikv forceheader=1
| table Time DB2_SSID CPU_accumulated
| reverse
| streamstats range(CPU_accumulated) as Difference window=2
| reverse
0 Karma
Reply
Solved! Jump to solution

Ctpelster
Engager
‎01-17-2022 07:25 AM

Yes, it worked ! thank you. 

I changed the sort option in the query, instead of using the reverse you suggested. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...