Solved: difference of two values of same field inside a tr...

KarunK · ‎02-20-2012

Hi ALL,

I am using a transaction command to group two events together, "connect" and "disconnect". Both the events have a common field called bytes and I need to get the difference of the bytes delivered during the disconnect event and connect event.

How can I achieve this ?

(sourcetype="access" event="*connect" status="200") | transaction c_ip eventttype startswith="connect" endswith="disconnect"

Thanks in Advance

Aappreciate your help.

Ayn · ‎02-21-2012

Use mvlist=t as a parameter to transaction to make sure you're getting field values in the correct (chronological) order, then use mvindex to get the first and last value for bytes.

... | transaction mvlist=t c_ip eventtype startswith="connect" endswith="disconnect" | eval bytesdiff=tonumber(mvindex(bytes,-1))-tonumber(mvindex(bytes,0))

View solution in original post

Ayn · ‎02-21-2012

Use mvlist=t as a parameter to transaction to make sure you're getting field values in the correct (chronological) order, then use mvindex to get the first and last value for bytes.

... | transaction mvlist=t c_ip eventtype startswith="connect" endswith="disconnect" | eval bytesdiff=tonumber(mvindex(bytes,-1))-tonumber(mvindex(bytes,0))

KarunK · ‎02-21-2012

Thanks Ayn. It worked....

difference of two values of same field inside a transcation

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!