Questions in topic: "subtract"
https://answers.splunk.com/answers/topics/single/161667.html
The latest questions for the topic "subtract"Can you help me in subtracting 2 times together?
https://answers.splunk.com/answers/725340/can-you-help-me-in-subtracting-2-times-together.html
I have a time where a ticket is created called:
| eval start_time =strftime(start_time_epoch,"%Y-%m-%d %H:%M:%S")
If the start time is >=12, it is supposed to be subtracted from 8pm meaning: 20:00:00- start_time to find how much time is there.
So, if the start time is "2019-01-22 16:37:45", the time is 03:22:15.
The reason I want this time is because I have an SLA ticket, which takes 8 hours to be completed. And the business hours is until 8pm. So, if the ticket is raised later than 12pm, it will have to continue the remaining time the next day. That is why i want to find out how much time remained after 8pm.
So for the start time of "2019-01-22 16:37:45", the workers end work at 8pm, leaving 03:22:15 hours remaining to continue the next day 8am.
So the SLA should end on 2019-01-23 11:22:15
This is my code:
| eval start_time =strftime(start_time_epoch,"%Y-%m-%d %H:%M:%S")
| eval end_time = "20:00:00"
| eval start_time_timing = strftime(start_time_epoch,"%H:%M:%S")
| eval remainder = case(SEVERITY = "Sev 2" AND date_hour >=12,(TARGET-(end_time-start_time_timing)) * 3600)
| eval SLA_DEADLINE = if(SEVERITY = "Sev 2" AND date_hour >=12,relative_time(SLA_DEADLINE,"+1d@d+8h") + remainder, SLA_DEADLINE)
I used start_time_timing to get the Hours, Minutes and Seconds.
SEVERITY 2 means the targeted hours is 8 hours.splunk-enterprisesubtractrelative_timesubtractionMon, 11 Feb 2019 10:16:41 GMTlouisawangHow do you subtract two column values in Splunk?
https://answers.splunk.com/answers/689506/how-do-you-subtract-two-column-values-in-splunk.html
Hi team,
say i have a column like this :
_time A
11pm 30
10pm 40
I have to subtract 40-30 and store in a new field
How do I achieve this?subtractWed, 26 Sep 2018 09:43:14 GMTMohsin123How to subtract field values and have the result in a new field?
https://answers.splunk.com/answers/687212/how-to-subtract-field-values-and-have-the-result-i.html
Hi, please view my example csv.
file1.csv:
Apples Bananas Oranges Grapes
50 44 83 121
I would like a new column that would show the difference in each field from left to right so that the table would then look like this:
Apples Bananas Oranges Grapes Delta
50 44 83 121 6
39
38
What SPL could I use to accomplish this?? *In the end*, I intend to display the values in the `Delta` field as a line graph visualization across the values of the fruit while they're displayed as a bar graph. I know it doesn't make much sense logically but work with me here lol.differencefield-valuesfield-valuesubtractsubtractionThu, 20 Sep 2018 20:17:28 GMTrussell120How to find the difference between two date values and subtracting weekend days?
https://answers.splunk.com/answers/684871/how-to-find-the-difference-between-two-date-values.html
Hi All,
I need to find the difference between these two dates with the removal of the weekends
I have 2 date value fields as
ASSIGNED_DT = 2018-08-30 15:33:51
ANSWER_DT= 2018-09-03 16:59:48
| makeresults | eval ASSIGNED_DT = "2018-08-22 15:33:51" | eval ANSWER_DT= "2018-09-03 16:59:48" | eval Assigned_Time = strptime(ASSIGNED_DT, "%Y-%m-%d %H:%M:%S") | eval Answer_Time = strptime(ANSWER_DT, "%Y-%m-%d %H:%M:%S") | eval start=relative_time(Assigned_Time,"@d") | eval end=relative_time(Answer_Time,"@d") | eval Date=mvrange(start,end+86400,86400) | convert ctime(Date) timeformat="%+" | eval WeekendDays=mvcount(mvfilter(match(Date,"(Sun|Sat).*"))) | eval diff = tostring(( Answer_Time - Assigned_Time), "duration") | table ASSIGNED_DT, ANSWER_DT, diff, WeekendDays
Everything is working fine and the results are:-
ASSIGNED_DT ANSWER_DT diff WeekendDays
2018-08-22 15:33:51 2018-09-03 16:59:48 12+01:25:57.000000 4
Now I just need help with:
1. remove the WeekendDays from the diff
2. Convert diff-WeekendDays as the only number of days in decimal: for example here : it should be 8.01 days or 8 days 1 hour 25 mins only.
Thanks for your help.splunk-enterprisetimestampsubtractThu, 06 Sep 2018 09:31:03 GMTChandras11Why do I get an empty output when subtracting one time field from the main query and another from the subquery?
https://answers.splunk.com/answers/679253/why-do-i-get-an-empty-output-when-subtracting-one.html
I am retrieving two time fields one from main query and other from subquery. When I subtract both fields, I get blank output.
Query I am using:
index=main host=* *CRgsSessionInfo* PrimaryUserLogin=PrimaryUserLogOn | eval Time = _time | append [search host=* *CRgsSessionInfo PrimaryUserLogin=PrimaryUserLogoff | eval Time1 = _time ] | eval Diff= Time1-Time |table Diff
----------
marked code. dmjsplunk-enterprisefieldsubtractWed, 08 Aug 2018 13:41:08 GMTnikhilesh_cvxHow to subtract the date in my search?
https://answers.splunk.com/answers/663124/how-to-subtract-the-date-in-my-search.html
How to subtract the below date?
End Time is 2018-06-04-10.45.09
Start Time is 2018-06-04-10.45.00
End Time - Start Timesplunk-enterprisesubtractMon, 04 Jun 2018 16:01:49 GMTabhi04subtraction of timestamp from two search
https://answers.splunk.com/answers/657768/subtraction-of-timestamp-from-two-search.html
i would like to calculate response time by extracting timestamp from two different search then subtracting Response=Send-Received. example search A has timestamp of received and Search B will be having time stamp of Sent. two search interconnected with transctionID. I am using following syntax
But TimeOnrequest always coming as Blank, any suggestion please?splunk-enterprisesearch-timesubtractsubtractionFri, 11 May 2018 08:48:50 GMTjayaraj1717combine 2 queries and subtract the results
https://answers.splunk.com/answers/626138/combine-2-queries-and-subtract-the-results.html
I have the below queries, would like to run together and subtract the count results. Any help appreciated.
1. |host=SMD* source="D:\\Apps\\CM\\Logs\\CM_*" "Removing Session" AND "CM_EMD*"
2. | rex field=_raw "(?.+)"
3. | rex field=_raw "(?.+)"
4. | convert timeformat="%d" ctime(_time) AS c_time
5. | table c_time Server UserName count
6. | dedup c_time Server UserName | stats count by c_time Server
and
1. |host=SMD* source="D:\\Apps\\CM\\Logs\\CM_*" "Adding Session" AND "CM_EMD*"
2. | rex field=_raw "(?.+)"
3. | rex field=_raw "(?.+)"
4. | convert timeformat="%d" ctime(_time) AS c_time
5. | table c_time Server UserName count
6. | dedup c_time Server UserName | stats count by c_time ServersubtractWed, 14 Mar 2018 16:36:28 GMTbgleichHow to normalize the dates and subtract them from each other to get elapsed time?
https://answers.splunk.com/answers/623363/how-to-normalize-the-dates-and-subtract-them-from.html
Hello,
I am trying to normalize the dates on the below fields and subtract them from each other. How would I go about doing that? Is there a way that if there is no termination date, show something that says, Active and employed for X amount of time?
Thanks in advanced!
![alt text][1]
[1]: /storage/temp/229575-starttermination.pngsplunk-enterprisetimesubtractnormalizationelapsedMon, 26 Feb 2018 18:53:15 GMTcotypFind difference between time now and last event time
https://answers.splunk.com/answers/591363/find-difference-between-time-now-and-last-event-ti.html
I am not sure why I am not getting results with this query, any suggestions?
index= ______
| stats max(_time) as last_event
| eval timenow=strftime(now(), "%Y-%m-%d %H:%M:%S.%3N")
| eval last_event=strftime('last_event', "%Y-%m-%d %H:%M:%S.%3N")
| eval diff = tostring((timenow - last_event), "duration")
| table diffsplunk-enterprisetimesubtractnowThu, 16 Nov 2017 21:17:01 GMTJoshuaJohnFind all greater, after 5 mins subtract different columns
https://answers.splunk.com/answers/590665/find-all-greater-after-5-mins-subtract-different-c.html
Hi
I want to calculate/simulate a data to analysis price difference, my data set in picture,
left is my data set, ***right table is that i want to produce***
![alt text][1]
Process like this
LOOP
- find DIFF > 100 and get PAR and _time value
- get BTC value 5 minutes after, and set BTC as BTC_last
- get difference BTC_last - PAR
Until data finished
> For example
> find DIFF> 100
> time: 00:02:58 PAR:1655
> get 5 minutes after BTC: 1800 as BTC_last
> get difference BTC_last - PAR = 1800 -1655 = 145 and continue
> like this
> find DIFF> 100
> time: 00:09:58 PAR:1610
> get 5 minutes after BTC: 1510 as BTC_last
> get difference BTC_last - PAR = 1510 -1610 = -100
> and so on?
How can i produce this process, given in right table using splunk?
[1]: /storage/temp/219742-splunk3-diff.pngsubtractloopingfindSun, 12 Nov 2017 18:58:31 GMTabdulvehhabaHow to subtract Field value on the basis of other rows with same ID
https://answers.splunk.com/answers/588532/how-to-subtract-field-value-on-the-basis-of-other.html
As per the below screenshot, If User made one request then in that request we have two calls (mentioned below), Every request will have unique request id assigned and each call response time would be different.
1) "MES" (This Call will always be one per request)
2) "EWM" ('n' number of calls will be triggered)
As per my requirement, While showing MES response time I need to subtract all the EWM calls time. Please give me your best thoughts and suggestions to complete this task.
I am new in splunk require your help. Thanks in advance !splunk-enterprisesubtractThu, 02 Nov 2017 04:52:57 GMTJayanthapoojary1989subtract value on Subquery
https://answers.splunk.com/answers/489313/subtract-value-on-subquery.html
So basically I want to make a subquery where I can use the values founded in the first query to make a subtract from the second subquery
external_response=Time
so the idea is get the subquery sum all times for traceId and then subtract the external_time
Any idea how to accomplish this?
sourcetype="service_ppe" source="/var/log/httpClient*.log" | stats sum(time_ms) as external_response by trace_id | join external_response [search sourcetype="service_ppe" source="/var/log/request*.log" | stats sum(time_ms) as response by trace_id | eval price_response=(response - external_response) | timechart count(price_response) ]
Regards.sourcesourcessubtractsubtractionsubqueryThu, 12 Jan 2017 14:39:10 GMTpolitronsHow to calculate the difference between 2 different events with the same field and group them by another field that they have in common?
https://answers.splunk.com/answers/418349/how-to-calculate-the-difference-between-2-differen.html
So lets say I have 4 events,
name="karina" age="23"
name="Karina" age = "67"
name="George" age="45"
name="George" age ="12"
I want to be able to get the difference and group these events by the name field (or whatever field that they have in common) to be able to get something like,
name="Karina" calc_age="44"
name="George" calc_age = "33"
I tried using delta, but I always get negative numbers and I don't know how to incorporate the group by in there.groupingdifferencesubtractMon, 20 Jun 2016 19:02:54 GMTkar1naHow to subtract static value from timechart?
https://answers.splunk.com/answers/379336/how-to-subtract-static-value-from-timechart.html
I have a timechart which tracks tax calls per half hour. We have monitoring set up which will hit our web service every 1 minute, there is no way to distinguish between a customer or monitor tax call in that index, it only shows the method and tax call. So I need to subtract 30 from each time slot so I can get rid of the monitoring from our results.
I have an extracted field called Tax which is the name of our web service name (CalculateTax and LookupTax).
**Example**
BEFORE
_time CalculateTax LookUpTax
2016-03-14 00:00:00 143 118
2016-03-14 00:30:00 151 111
2016-03-14 01:00:00 103 96
2016-03-14 01:30:00 125 98
AFTER
_time CalculateTax LookUpTax
2016-03-14 00:00:00 113 88
2016-03-14 00:30:00 121 81
2016-03-14 01:00:00 73 66
2016-03-14 01:30:00 95 68
**Here's my current query**
index=vertex7-access Tax="*" | timechart count by TaxevaltimechartsubtractTue, 15 Mar 2016 14:06:58 GMTskoelpinHow can I subtract two results from stats?
https://answers.splunk.com/answers/305255/how-can-i-subtract-two-results-from-stats.html
Hi all.
I'm having a hard time trying to make a subtraction..
This is my entry csv:
Date,category,amount,person
01/08/2015,debit,150.00,jose
01/08/2015,debit,130.00,mary
07/08/2015,credit,300.00,jose
What I have so far is:
index=<my_index> | stats sum(amount) as Result by category | addcoltotals labelfield=category label=Total
category Result
debit 280.00
credit 300.00
Total 580.00
However, what I want is the difference between Credit and Debit, something like this:
category Result
debit 280.00
credit 300.00
Total 20.00
Any ideas how I should write my search?
Thank in advance.searchstatssubtractFri, 04 Sep 2015 14:01:23 GMTguimilarewould like to know how to get subtraction of field value in two different events
https://answers.splunk.com/answers/269940/would-like-to-know-how-to-get-subtraction-of-field.html
would like to know how to get subtraction of field value in two different events
i mean i have event A with field sum = 15
and event B with field sum = 20
i would like to create new field called diff that contain value = field of event B - field of event A
thanks in advancefield-valuessubtractThu, 09 Jul 2015 21:23:19 GMTAhmedkhalilHow to subtract 2 column values and create a new column with the result in a chart?
https://answers.splunk.com/answers/250144/how-to-subtract-2-column-values-and-create-a-new-c.html
Hello, I have a chart I am trying to create that splits data based on another field. IE:
.... | stats count by Airport status | chart sum(count) over Airport by status
Which gives the chart:
| Airport | Started | Error | Complete |
----------------------------------
| LAX | 43 | 13 | 15 |
| JFK | 31 | 22 | 9 |
| ORD | 43 | 19 | 17 |
| AUS | 54 | 15 | 18 |
| CDG | 325 | 13 | 90 |
| SFO | 248 | 3 | 133 |
----------------------------------
What I would like to do is create a new column with the value consisting of one column value minus another column value. So taking the example above, I want to create a new column called "Dropped" and do the following math:
Dropped = started - (error+complete)
Essentially creating:
| Airport | Started | Error | Complete | Dropped
----------------------------------
| LAX | 43 | 13 | 15 | 5 |
| JFK | 31 | 22 | 9 |0 |
| ORD | 43 | 19 | 17 | 7 |
| AUS | 54 | 15 | 18 | 21 |
| CDG | 325 | 13 | 90 | 222 |
| SFO | 137 | 3 | 133 | 1 |
----------------------------------evalchartcolumnsubtractTue, 23 Jun 2015 23:43:05 GMTboingodevinHow to subtract field values every 5 minutes and display these results on a graph?
https://answers.splunk.com/answers/248574/how-to-subtract-field-values-every-5-minutes-and-d.html
This log is updated every 5 minutes (I have included three examples of the logs). The value is cumulative. So, while graphing it in Splunk, I have to deduct the previous value to get the value for that 5 minute interval. So for example, lets take one field, `pdweb.sescache` hit has the following three values of 26965624, 27089514, and 27622280.
Taking 27622280-27089514 = 532766 (this is the actual value I want for that 5 minute interval.)
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache hit : 26965624
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache hit : 27089514
2015-06-22-11:30:00.000-08:00I----- pdweb.sescache hit : 27622280graphvaluesubtractMon, 22 Jun 2015 21:47:41 GMTdperryHow to subtract disconnect time from duration?
https://answers.splunk.com/answers/246839/how-to-subtract-disconnect-time-from-duration.html
I'm pulling in syslog ID 113019 from a Cisco ASA and it provides me with VPN disconnect information. However, the log entry does not tell me when the user originally connected. It provides the disconnect timestamp along with a duration. I want to calculate the connect timestamp by subtracting the disconnect time from duration. I am struggling to get the correct combination of eval commands to convert disconnect time and duration to epoch values to perform the subtraction.
Disconnect Time Format: Jun 11 19:06:03
Duration Time Format: 2d 4h:02m:25stimedurationstrptimevpnsubtractFri, 19 Jun 2015 22:24:39 GMTjgbecza