Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract or minus the values

phanichintha
Path Finder
‎06-28-2021 05:39 AM

Hello Team,

I have a query called:
host="mule1" OR host="mule2" Message="message: Start of Flow CreateUser flow" OR Message="message: All system calls for CREATE user is completed" | stats count by Message

Output:

phanichintha_0-1624883529929.png

But here I want in the output the third row should be Failures under Message column and First column minus(-) Second column count in Third column count.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-28-2021 06:02 AM 
| transpose 0 header_field=message
| eval Failures='message: Start of Flow CreateUser flow'-'message: All system calls for CREATE user is completed'
| transpose 0 column_name=message header_field=column

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-28-2021 06:02 AM 
| transpose 0 header_field=message
| eval Failures='message: Start of Flow CreateUser flow'-'message: All system calls for CREATE user is completed'
| transpose 0 column_name=message header_field=column
0 Karma
Reply
Solved! Jump to solution

amitshrigoel
Explorer
‎01-30-2024 04:45 PM

I have a similar problem but i have to do it recursively e.g. 2nd row - 1st row, 4th - 3rd row, 6th - 5th and so on and so forth e.g. how can we do it in Splunk ( I am doing a workaround and exporting to Excel and then using = A2-A1, A4-A3). Is it possible to do it in the query itself.

Value

43

65.     = 22

24

47.    = 23

36

62. = 26

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-31-2024 01:20 AM 
| streamstats count as row current=f last(Value) as previous
| eval row=row%2
| eval diff=if(row=1,Value-previous*row,null())
| fields - previous row
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 12:03 AM

1. This is not recursion

2. This is an old thread with possibly low visibility. Please create a new thread, describe your problem, what data you have, what results you need to raise your chances of getting a meaningful response.

0 Karma
Reply
Solved! Jump to solution

phanichintha
Path Finder
‎06-28-2021 06:14 AM

@ITWhisperer thanks for the swift response, i got the exact results.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...