I have results in following table format:
half app_name dataconsumed
-----------------------------------
first_half skype 50
first_half facebook 90
first_half yahoo 10
first_half bing 30
second_half skype 150
second_half facebook 100
second_half yahoo 5
second_half bing 50
How should I find the difference in dataconsumed for ex (difference = secondhalf - firsthalf) and exclude app if difference is negative.
for above table result should be:
app difference
------------------------
skype 100
facebook 10
bing 20
Note: In above result table yahoo is excluded since it's difference is negative.
Try this...
| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
sum(eval(if(half="first_half",null(),dataconsumed))) as data2
by appname
| eval difference=data2-data1
| where difference > 0
Give this as well
Updated
your current search giving fields half, app_name, dataconsumed
| chart values(dataconsumed) over app_name by half
| eval difference=second_half-first_half
| where difference>0
@somesoni2 nice. but difference>0
Gosh... I can swear it was >
in my mind while typing. Thanks @Daljeanis for correcting it..
Try this...
| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
sum(eval(if(half="first_half",null(),dataconsumed))) as data2
by appname
| eval difference=data2-data1
| where difference > 0