Q1: How can I get c4 where c4 will always be the difference of values in c3 against max of c2 - min of c2
For example: Here c4 for A = 677-76
Please guide.
c c2 c3
A 1 76
A 2 7
A 3 6
A 4 677
B 1 65
B 2 675
B 3 90
B 4 78
C 1 121
C 2 56
C 3 54
C 4 67
D 1 56
D 2 6
D 3 5
D 4 657
@reverse
<your query>| sort c c2
| stats first(c3) as first, last(c3) as last by c
| eval c4=last - first
@reverse
<your query>| sort c c2
| stats first(c3) as first, last(c3) as last by c
| eval c4=last - first
This worked but i had to add eventstats. .. was getting blank with stats
Good to know. Thanks
Thanks a ton @Vijeta .. Kindly help here as well..
https://answers.splunk.com/answers/750417/playing-with-data-ii.html?minQuestionBodyLength=80
Try something like this:
index="yourindex" sourcetype="yoursourcetype"
| stats max(c3) as max min(c3) as min by c
| eval c4=max-min
Please see the example
Is this what you were looking for?
index="yourindex" sourcetype="yoursourcetype"
| eventstats min(c3) as min max(c3) as max by c
| eval c4=max-min
| table c c2 c3 c4
| sort c c2
This is not producing the intended results
@Vijeta please guide.
@reverse try using delta command and see if that works.
Tried that .. it is continuing for all rows .. i want it by c1.. delta is not taking by clause
@reverse ok I see you changed the question. Try below
<your query>
| stats max(c3) as max, min(c3) as min by c
| eval c4=max-min
Not producing the intended result..
I need the difference of c2 against c3 values as mentioned in the example
Could you please post an example.. dont know that command..thank you