For Example:
Suppose you have 3 numbers from search results: 1,000 2,000 and 3,000.
I want to be able to display 3,000-2,000 in a new panel with a new label. I was thinking perhaps append? I am somewhat new to Splunk.
Thanks again!
Solved!
I tried to send this yesterday but splunk says I don't have enough reputation to post more than twice per day 😛
My solution for combining the three time specific (relative to current time) searches into one was to use the in-search time selection
syntax to override the timepicker
for each separate search and to link them together with sub searches. Then for each sub search instead of trying to eval the results like this:
| eval diff=([a search] - [b sub search])
I appendcol'ed to my first search so that I could get them all in one table in the same row and three separate columns like this:
index=main earliest=now latest=+1hr | eval A=*data for A* | stats first(A)
| appendcols [search
index=main earliest=@h latest=now | eval B=*data for B* | return $B ]
| eval C=('first(A)'-search) | table C
This also has the eval tacked onto the end to find the difference between event A and event B.
Thanks for your time and responses!
Solved!
I tried to send this yesterday but splunk says I don't have enough reputation to post more than twice per day 😛
My solution for combining the three time specific (relative to current time) searches into one was to use the in-search time selection
syntax to override the timepicker
for each separate search and to link them together with sub searches. Then for each sub search instead of trying to eval the results like this:
| eval diff=([a search] - [b sub search])
I appendcol'ed to my first search so that I could get them all in one table in the same row and three separate columns like this:
index=main earliest=now latest=+1hr | eval A=*data for A* | stats first(A)
| appendcols [search
index=main earliest=@h latest=now | eval B=*data for B* | return $B ]
| eval C=('first(A)'-search) | table C
This also has the eval tacked onto the end to find the difference between event A and event B.
Thanks for your time and responses!
Make sure you click Accept
on your answer.
Post your a minimal set of raw events, your base search and intermediate output, then a mockup of your desired output.
Do you get all 3 numbers from a single search? Do you get them in same row OR separate rows?
I've modified it so that I can get them in the same search and I only have to do two at a time. So I think my question has somewhat changed. They're in different columns and different rows of a table now and I'd like to make a third result that is the difference between the two. I was thinking an eval like such:
| eval diff=(A-B) but no dice here
On a side note it would still be interesting if it could be done as separate searches. So if you know how to do that, that'd be great!
It will be helpful if you can post your current search. The regular eval diff only works if the columns are in same row.