Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Column value differences

Chinmai
Explorer
‎03-22-2017 04:50 AM

Hello Guys,

I have columns like column1, coulmn2, column3... and I want output as column1, column2=column2-column1, column3=column3-column2, col4=col4-col3...

Is there any way to write search query for this?

Thanks in advance.

Tags (1)
0 Karma
Reply

Chinmai
Explorer
‎03-23-2017 12:09 AM

Hello All,

Thanks for your answers, but the columns number is more. I cannot do colY=colY-colX every time, is there any better solution?

I have around 20-30 rows as output and other than columns col1,col2,col3.. I have another one column which I am using in my by clause of search query

0 Karma
Reply

somesoni2
Revered Legend
‎03-22-2017 08:25 AM

How many rows do you get? Do you have other columns as well other than columnNs where N=1,2,3...?

0 Karma
Reply

adonio
Ultra Champion
‎03-22-2017 07:59 AM

use the eval command / function
... | eval newColumn = columnX - columnY
more on this topic here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

0 Karma
Reply

maffreitas
Path Finder
‎03-22-2017 07:25 AM

Hi, you can thy this:

index=xpto source=abc | eval column2a = column2 - column1, column3a = column3 - column2 | table column2a, column3a

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...