- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate the difference between two fields...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two different files abc and abc1. Both have two fields TS1 and TS2. I just want to calculate difference between TS2 of abc1 with TS1 of ABC. I'm new here so please help me guys. Thanx in Advance..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may try this:
index=sth source="abc" | table TS1 | appendcols [search index=sth source="abc1" | table TS2 | rename TS2 as abc1_TS2] | eval Diff = abc1_TS2 - TS1
If these two files are unrelated, you can just use appendcols. Otherwise you should use join [common field]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's possible that the above version works for you in this case but here's how I'd solve it(assuming in this case that it's the same sourcetype as both sources had the same specific fields):
index="A" sourcetype="B" source="ABC" | eval R1 = TS1| join sourcetype [search index="X" sourcetype="B" source="ABC1" | eval R2 = TS2 | fields - R2] | eval diff(R2-R1) = R2-R1 | table diff(R2-R1), R1, R2
If you want just the latest event from each source you could add a dedup command like this:
index="A" sourcetype="B" source="ABC" | dedup source | eval R1 = TS1| join sourcetype [search index="X" sourcetype="B" source="ABC1" | eval R2 = TS2 | fields - R2] | eval diff(R2-R1) = R2-R1 | table diff(R2-R1), R1, R2
Perhaps not the most beautiful way to do it but I find it clear. Will not work well in real time.
Hope this helps,
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may try this:
index=sth source="abc" | table TS1 | appendcols [search index=sth source="abc1" | table TS2 | rename TS2 as abc1_TS2] | eval Diff = abc1_TS2 - TS1
If these two files are unrelated, you can just use appendcols. Otherwise you should use join [common field]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will need more information than this. How is your data stored in Splunk for these two files, What type of difference you want to check, any sample values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are they both going to the same index? If so then it would be easy, you need to use the eval command which will create a new field (Diff) which will then have the difference between TS2 and TS1
index=blah TS1 TS2 | eval Diff=TS2-TS1 | table Diff
index=blah is where you define what index you want to search in
TS1 TS2 is calling those fields within index=blah for faster search performance
|eval is a command in splunk which will make a new field called Diff which will store the difference between TS2 and TS1
|table Diff will create a table with a column called Diff which will display the difference between TS2 and TS1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks..this query was helpfull
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Feel free to upvote if this helped!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
