Solved: How can I find the difference between table rows?

sohaibomar · ‎09-17-2017

I have results in following table format:

half    app_name    dataconsumed
-----------------------------------
first_half    skype    50
first_half    facebook    90
first_half    yahoo    10
first_half    bing    30
second_half    skype    150
second_half    facebook    100
second_half    yahoo    5
second_half    bing    50

How should I find the difference in dataconsumed for ex (difference = secondhalf - firsthalf) and exclude app if difference is negative.

for above table result should be:

app    difference
------------------------
skype    100
facebook    10
bing    20

Note: In above result table yahoo is excluded since it's difference is negative.

DalJeanis · ‎09-17-2017

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0

View solution in original post

somesoni2 · ‎09-17-2017

Give this as well
Updated

your current search giving fields half, app_name, dataconsumed
| chart values(dataconsumed) over app_name by half
| eval difference=second_half-first_half
| where difference>0

DalJeanis · ‎09-18-2017

@somesoni2 nice. but difference>0

somesoni2 · ‎09-18-2017

Gosh... I can swear it was > in my mind while typing. Thanks @Daljeanis for correcting it..

DalJeanis · ‎09-17-2017

Try this...

| table half appname dataconsumed
| stats sum(eval(if(half="first_half",dataconsumed,null()))) as data1
   sum(eval(if(half="first_half",null(),dataconsumed))) as data2
   by appname
| eval difference=data2-data1
| where difference > 0

How can I find the difference between table rows?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!