Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

subtraction doesn't work for multiple values in one field

almond14
Engager
‎12-04-2015 01:44 PM

I managed to create a table that somewhat looks like this:
alt text

However, when I tried to append a new column with the differences between after and before as its value, it just gave me a blank space. I used eval differences=after-before which apparently doesn't work. Is there some other workaround on this? I need to get the list of differences so the end result should look something like below:
alt text

I need to have that column so I can process the average, min, and max difference for each name1, name2, etc.

Thanks!

Preview file
6 KB
Preview file
8 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-05-2015 12:25 PM

See answer by @sundareshr but also tack on this:

... | stats list(before) AS before list(after) AS after list(diff) AS diff BY names
Reply

sundareshr
Legend
‎12-04-2015 02:26 PM

Try this

.. | eval z=mvzip(before, after, "@") | mvexpand z | rex field=z "(?<before>.*)@(?<after>.*)" | table names, before, after | eval diff=after-before
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...