if I have a search that gives me something like this:
a b c
1 2 3
4 5 6
7 8 9
how do I add a column d that would do an operation (row2columnC - row1columnC, row3columnC - row2columnC ... all the way down ) in each cell in column d(jsut want to show the value in column d)
a b c d
1 2 3 3-0=3
4 5 6 6-3=3
7 8 9 9-6=3
I am thinking it would be ...| eval = ??
or something like this...
Try this
your search |delta c as difference p=1|fillnull value=0 difference
don't using eval
use the command delta
who working like that:
For each event where field is a number, the `delta command` computes the difference, in search order, between the field value for the event and the field value for the previous event
next try this
your search |delta c as d
Try something like this
your current search giving fields a,b,c | delta c as d | eval d=coalesce(d,c)
what does eval d=coalesce(d,c)
do here? I can't seem to see the difference. Or do i need a null value to see it working?
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions
Try this
your search |delta c as difference p=1|fillnull value=0 difference
all good answers here is a working example:
| makeresults count=3 | streamstats count as a | eval a=a+1 | streamstats count as b | eval b=b+10 | streamstats count as c | eval c=c+11 | delta a as a_dif p=1