Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you subtract two column values in Splunk?

Mohsin123
Path Finder
‎09-26-2018 02:43 AM

Hi team,

say i have a column like this :

_time    A
11pm  30
10pm  40

I have to subtract 40-30 and store in a new field

How do I achieve this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-26-2018 02:50 AM

hi @Mohsin123

try this 

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Thanks
Harish

View solution in original post

Reply
Solved! Jump to solution

ritchierich
New Member
‎02-04-2020 09:34 PM

Splunk active/inactive users

<input type="radio" token="active_account">
  <label>Active accounts</label>
  <choice value="*">all</choice>
  <choice value="1">active</choice>
  <choice value="0">inactive</choice>
  <default>1</default>
</input>
<input type="text" token="user_field" searchWhenChanged="true">
  <label>User:</label>
  <default>*</default>
</input>
<input type="text" token="role_field" searchWhenChanged="true">
  <label>Role:</label>
  <default>*</default>
</input>


<panel>
  <table>
    <search>
      <query>| rest /services/authentication/users   | dedup title   | rename title as user | eval firstHit=0  | eval lastHit=0 | eval active=1 | table user, firstHit, lastHit, roles, active  | inputlookup append=true splunk_users | eval user=if(isnull(_key), user, _key)  | stats max(firstHit) as firstHit, max(lastHit) as lastHit, values(roles) as roles, max(active) as active by user | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(firstHit) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(lastHit)  | eval active=if(active==1, active, 0) | search user="$user_field$" | search active=$active_account$ | search roles="$role_field$"</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">100</option>
  </table>
</panel>

User/Role/Index Management

<panel>
  <title>Splunk indexes with corresponding roles</title>
  <input type="radio" token="view_field1" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index</default>
  </input>
  <input type="text" token="role_field1" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field1">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup  admin_role_indexes

| eval index = mvappend(srchIndexesAllowed, imported_srchIndexesAllowed) | fields role, index $view_field1$ | search role=$role_field1$ | search index=$index_field1$
| dedup role
| rex field=index max_match=200 "(?<idx>\w+)"
| lookup admin_indexes_data_owners index as idx
| stats values(index) as index, values(data_owner) as data_owner by role
-15m@m
now

20
none
none
false
true

<panel>
  <title>Splunk users details</title>
  <input type="radio" token="view_field2" searchWhenChanged="true">
    <label>View:</label>
    <choice value="| nomv index | nomv role">One line</choice>
    <choice value="">Human readable (currently not working)</choice>
    <default>| nomv index | nomv role</default>
  </input>
  <input type="text" token="user_field2" searchWhenChanged="true">
    <label>User:</label>
    <default>*</default>
  </input>
  <input type="text" token="role_field2" searchWhenChanged="true">
    <label>Role:</label>
    <default>*</default>
  </input>
  <input type="text" token="index_field2">
    <label>Index:</label>
    <default>*</default>
  </input>
  <table>
    <search>
      <query>| inputlookup admin_user_index_role | rename roles as role  $view_field2$ | search user=$user_field2$ | search role=$role_field2$ | search index=$index_field2$ | lookup splunk_users _key as user OUTPUT lastHit as last_seen| eval user=if(isnull(_key), user, _key) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(last_seen) | table user, last_seen, index, role | eval last_seen=if(isnull(last_seen), "never", last_seen)</query>
      <earliest>-15m@m</earliest>
      <latest>now</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="count">20</option>
  </table>
</panel>
0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-26-2018 02:50 AM

hi @Mohsin123

try this 

|makeresults |eval A=30 |append [|makeresults |eval A=40] |delta A

If it is helped you pls accept as answer or up vote it

Thanks
Harish
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-26-2018 02:55 AM

thanks but what if i have to do this with n coloumns , its row 2 value - the row 1 value

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...