Solved: How to add a new row to my table that add the coun...

avi7326 · ‎08-30-2023

I want to add three fields insert ,update and error then subtract it from count_carmen and add new row .

ITWhisperer · ‎08-31-2023

You could add this line if you want the total

| eval total=inserts+updates+errors

View solution in original post

ITWhisperer · ‎08-30-2023

| addcoltotals count_carmen inserts updates errors
| eval count_carmen=if(isnull(_time),count_carmen-inserts-updates-errors,count_carmen)
| eval inserts=if(isnull(_time),null(),inserts)
| eval updates=if(isnull(_time),null(),updates)
| eval errors=if(isnull(_time),null(),errors)

avi7326 · ‎08-31-2023

It is giving me a new column and row what if I only wants a column of field name difference.

ITWhisperer · ‎08-31-2023

You literally said "add new row"!

If you just want the difference, try this

| eval difference=count_carmen-inserts-updates-errors

avi7326 · ‎08-31-2023

It is giving a wrong count. I want to add the insert+update+error. Then subtract it from count_carmen.

ITWhisperer · ‎08-31-2023

You could add this line if you want the total

| eval total=inserts+updates+errors

ITWhisperer · ‎08-31-2023

Remove these lines (they were only required when you had the extra row (that you originally asked for)

| eval inserts=if(isnull(_time),null(),inserts)
| eval updates=if(isnull(_time),null(),updates)
| eval errors=if(isnull(_time),null(),errors)

How to add a new row to my table that add the counts of three fields and subtract from another field?

eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases