Subtraction, minus / Additive inverse (sub, -)
Description
Adds a new column that returns the subtraction of two fields or the additive inverse (opposite number) of the values in a given column. Depending on the input data types, this operation can be used in different ways:
Additive inverse of a float, integer or duration.
Subtraction of two numbers (float or integer). This operation returns a float or integer.
Subtraction of two duration fields. This operation returns a duration.
Subtraction of two timestamp fields. This operation returns a duration.
Subtraction of two a timestamp and a duration. This operation returns a timestamp.
How does it work in the search window?
Select Create column in the search window toolbar, then select the Subtraction, minus / Additive inverse operation. You need to specify at least one argument:
Argument | Data type |
---|---|
Value / Minuend mandatory | Apply the operation adding only the Value argument to get the additive inverse of the values in the selected column. Add a second argument to transform it into Minuend. These are the data types allowed for each argument:
|
Subtrahend | float, integer, timestamp, duration Depending on the data type chosen in the first argument, different data types are allowed here. See the possible combinations in the above section. |
The data type of the new column values can be float, integer, duration or timestamp, depending on the arguments selected (see above the different combinations and output data types).
Example
In the siem.logtrust.web.activity
table, we want to subtract 100 from all the values in the responseTime field of our table. To do it, we will create a new column using the Subtraction, minus / Additive inverse operation.
The arguments needed to create the new field are:
Minuend - responseTime field
Subtrahend - Click the pencil icon and enter 100
You must create both arguments to convert the value fields to Minuend and Subtrahend.
Click Create field and you will see the following result:
How does it work in LINQ?
Use the operator select
... as
... and add the operation syntax to create the new column. These are the valid formats of the Subtraction, minus / Additive inverse operation:
- number
- duration
number1 - number2
duration1 - duration2
timestamp1 - timestamp2
timestamp - duration
sub(number)
sub(duration)
sub(number1, number2)
sub(duration1, duration2)
sub(timestamp1, timestamp2)
sub(timestamp, duration)
Example
You can copy the following LINQ scripts and try the above example on the demo.ecommerce.data
table.
from demo.ecommerce.data
select bytesTransferred - 100 as `bytesTransferred-100`
or
from demo.ecommerce.data
select sub(bytesTransferred, 100) as `bytesTransferred-100`