Splunk Search

How to subtract Field value on the basis of other rows with same ID

Jayanthapoojary
New Member

As per the below screenshot, If User made one request then in that request we have two calls (mentioned below), Every request will have unique request id assigned and each call response time would be different.

1) "MES" (This Call will always be one per request)
2) "EWM" ('n' number of calls will be triggered)

As per my requirement, While showing MES response time I need to subtract all the EWM calls time. Please give me your best thoughts and suggestions to complete this task.

I am new in splunk require your help. Thanks in advance !

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI
You can write search like below.
can you please try it? Please update replace fields with the original field name.

YOUR EXISTING SEARCH 
| stats sum(PropetiesElapsedMilliseconds) as PropetiesElapsedMilliseconds by Properties.Http-RequestId, Properties.MII_ServiceType
| rename Properties.Http-RequestId as Properties_Http_RequestId, Properties.MII_ServiceType as Properties_MII_ServiceType
| stats sum(eval(if(Properties_MII_ServiceType="MES",PropetiesElapsedMilliseconds,0))) as MES,
sum(eval(if(Properties_MII_ServiceType="EWM",PropetiesElapsedMilliseconds,0))) as EWM  
by Properties_Http_RequestId
| eval Total = MES - EWM
| table Properties_Http_RequestId MES EWM Total 

I hope this will help you.

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI
You can write search like below.
can you please try it? Please update replace fields with the original field name.

YOUR EXISTING SEARCH 
| stats sum(PropetiesElapsedMilliseconds) as PropetiesElapsedMilliseconds by Properties.Http-RequestId, Properties.MII_ServiceType
| rename Properties.Http-RequestId as Properties_Http_RequestId, Properties.MII_ServiceType as Properties_MII_ServiceType
| stats sum(eval(if(Properties_MII_ServiceType="MES",PropetiesElapsedMilliseconds,0))) as MES,
sum(eval(if(Properties_MII_ServiceType="EWM",PropetiesElapsedMilliseconds,0))) as EWM  
by Properties_Http_RequestId
| eval Total = MES - EWM
| table Properties_Http_RequestId MES EWM Total 

I hope this will help you.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...