Splunk Search

How can I find the difference between table rows?

sohaibomar
Explorer

I have results in following table format:

half    app_name    dataconsumed
-----------------------------------
first_half    skype    50
first_half    facebook    90
first_half    yahoo    10
first_half    bing    30
second_half    skype    150
second_half    facebook    100
second_half    yahoo    5
second_half    bing    50

How should I find the difference in dataconsumed for ex (difference = secondhalf - firsthalf) and exclude app if difference is negative.

for above table result should be:

app    difference
------------------------
skype    100
facebook    10
bing    20

Note: In above result table yahoo is excluded since it's difference is negative.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this as well
Updated

your current search giving fields half, app_name, dataconsumed
| chart values(dataconsumed) over app_name by half
| eval difference=second_half-first_half
| where difference>0

DalJeanis
SplunkTrust
SplunkTrust

@somesoni2 nice. but difference>0

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Gosh... I can swear it was > in my mind while typing. Thanks @Daljeanis for correcting it..

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0 
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...