Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

subtraction doesn't work for multiple values in one field

almond14
Engager
‎12-04-2015 01:44 PM

I managed to create a table that somewhat looks like this:
alt text

However, when I tried to append a new column with the differences between after and before as its value, it just gave me a blank space. I used eval differences=after-before which apparently doesn't work. Is there some other workaround on this? I need to get the list of differences so the end result should look something like below:
alt text

I need to have that column so I can process the average, min, and max difference for each name1, name2, etc.

Thanks!

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-05-2015 12:25 PM

See answer by @sundareshr but also tack on this:

... | stats list(before) AS before list(after) AS after list(diff) AS diff BY names
Reply

sundareshr
Legend
‎12-04-2015 02:26 PM

Try this

.. | eval z=mvzip(before, after, "@") | mvexpand z | rex field=z "(?<before>.*)@(?<after>.*)" | table names, before, after | eval diff=after-before
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...