Hi team,
say i have a column like this :
_time A
11pm 30
10pm 40
I have to subtract 40-30 and store in a new field
How do I achieve this?
hi @Mohsin123
try this
|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A
If it is helped you pls accept as answer or up vote it
Splunk active/inactive users
<input type="radio" token="active_account">
<label>Active accounts</label>
<choice value="*">all</choice>
<choice value="1">active</choice>
<choice value="0">inactive</choice>
<default>1</default>
</input>
<input type="text" token="user_field" searchWhenChanged="true">
<label>User:</label>
<default>*</default>
</input>
<input type="text" token="role_field" searchWhenChanged="true">
<label>Role:</label>
<default>*</default>
</input>
<panel>
<table>
<search>
<query>| rest /services/authentication/users | dedup title | rename title as user | eval firstHit=0 | eval lastHit=0 | eval active=1 | table user, firstHit, lastHit, roles, active | inputlookup append=true splunk_users | eval user=if(isnull(_key), user, _key) | stats max(firstHit) as firstHit, max(lastHit) as lastHit, values(roles) as roles, max(active) as active by user | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(firstHit) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(lastHit) | eval active=if(active==1, active, 0) | search user="$user_field$" | search active=$active_account$ | search roles="$role_field$"</query>
<earliest>-15m@m</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="count">100</option>
</table>
</panel>
User/Role/Index Management
<panel>
<title>Splunk indexes with corresponding roles</title>
<input type="radio" token="view_field1" searchWhenChanged="true">
<label>View:</label>
<choice value="| nomv index">One line</choice>
<choice value="">Human readable (currently not working)</choice>
<default>| nomv index</default>
</input>
<input type="text" token="role_field1" searchWhenChanged="true">
<label>Role:</label>
<default>*</default>
</input>
<input type="text" token="index_field1">
<label>Index:</label>
<default>*</default>
</input>
<table>
<search>
<query>| inputlookup admin_role_indexes
| eval index = mvappend(srchIndexesAllowed, imported_srchIndexesAllowed) | fields role, index $view_field1$ | search role=$role_field1$ | search index=$index_field1$
| dedup role
| rex field=index max_match=200 "(?<idx>\w+)"
| lookup admin_indexes_data_owners index as idx
| stats values(index) as index, values(data_owner) as data_owner by role
20
none
none
false
true
<panel>
<title>Splunk users details</title>
<input type="radio" token="view_field2" searchWhenChanged="true">
<label>View:</label>
<choice value="| nomv index | nomv role">One line</choice>
<choice value="">Human readable (currently not working)</choice>
<default>| nomv index | nomv role</default>
</input>
<input type="text" token="user_field2" searchWhenChanged="true">
<label>User:</label>
<default>*</default>
</input>
<input type="text" token="role_field2" searchWhenChanged="true">
<label>Role:</label>
<default>*</default>
</input>
<input type="text" token="index_field2">
<label>Index:</label>
<default>*</default>
</input>
<table>
<search>
<query>| inputlookup admin_user_index_role | rename roles as role $view_field2$ | search user=$user_field2$ | search role=$role_field2$ | search index=$index_field2$ | lookup splunk_users _key as user OUTPUT lastHit as last_seen| eval user=if(isnull(_key), user, _key) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(last_seen) | table user, last_seen, index, role | eval last_seen=if(isnull(last_seen), "never", last_seen)</query>
<earliest>-15m@m</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="count">20</option>
</table>
</panel>
hi @Mohsin123
try this
|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A
If it is helped you pls accept as answer or up vote it
thanks but what if i have to do this with n coloumns , its row 2 value - the row 1 value