Splunk Search

would like to know how to get subtraction of field value in two different events

Ahmedkhalil
Path Finder

would like to know how to get subtraction of field value in two different events
i mean i have event A with field sum = 15
and event B with field sum = 20
i would like to create new field called diff that contain value = field of event B - field of event A

thanks in advance

Tags (2)
0 Karma
1 Solution

pradeepkumarg
Influencer
0 Karma

Ahmedkhalil
Path Finder

ok it's good start how can i do this task at index time not search time

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You cannot do maths at index time, you're limited to regular expressions.

Ahmedkhalil
Path Finder

ok but problem is that i will use this field many times in dashboards and it's alot of data So execute this search command each time will make reports and dashboard slow

0 Karma

pradeepkumarg
Influencer
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Ahmedkhalil,

you can use streamstats to achieve it. Using streamstats like this:

your base search here| streamstats current=f last(sum) AS last | eval diff=sum-last | table event sum diff

Hope this helps ...

cheers, MuS

Ahmedkhalil
Path Finder

i would like to get difference between two fields not summation
and also this events is transaction
so i need to get difference between events in same transaction

0 Karma

MuS
SplunkTrust
SplunkTrust

Another addition; if this is really in a Splunk transaction event, it will not work with delta nor streamstats. Both commands do their thing event based:

 For each event where field is a number, the delta command computes the difference, in search order, between the field value for the event and the field value for the previous event. The delta command writes this difference into newfield

The same is with streamstats ....

Ahmedkhalil
Path Finder

but below example from search referance delta examples and contain same example that i can use
sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | delta _time AS timeDelta p=1 | eval timeDelta=abs(timeDelta) | eval timeDelta=tostring(timeDelta,"duration")

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, if your after transaction event has a single value field which can be used with delta it will work....But you have a transaction with a multi value field called sum and this cannot be used in delta .....

0 Karma

MuS
SplunkTrust
SplunkTrust

Sorry my bad, I'm still a bit sleepy 😉 BTW your question states it's two events and not one transaction event.

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...