/
Subtraction, minus / Additive inverse (sub, -)

Subtraction, minus / Additive inverse (sub, -)

Description

Adds a new column that returns the subtraction of two fields or the additive inverse (opposite number) of the values in a given column. Depending on the input data types, this operation can be used in different ways: 

  • Additive inverse of a float, integer or duration.

  • Subtraction of two numbers (float or integer). This operation returns a float or integer.

  • Subtraction of two duration fields. This operation returns a duration.

  • Subtraction of two timestamp fields. This operation returns a duration.

  • Subtraction of two a timestamp and a duration. This operation returns a timestamp.

How does it work in the search window?

Select Create column in the search window toolbar, then select the Subtraction, minus / Additive inverse operation. You need to specify at least one argument:

Argument

Data type

Argument

Data type

Value / Minuend mandatory

Apply the operation adding only the Value argument to get the additive inverse of the values in the selected column. Add a second argument to transform it into Minuend. These are the data types allowed for each argument:

  • Value → float, integerduration

  • Minuend → float, integer, timestampduration

Subtrahend

float, integer, timestamp, duration

Depending on the data type chosen in the first argument, different data types are allowed here. See the possible combinations in the above section.

The data type of the new column values can be float, integer, duration or timestamp, depending on the arguments selected (see above the different combinations and output data types).

Example

In the siem.logtrust.web.activity table, we want to subtract 100 from all the values in the responseTime field of our table. To do it, we will create a new column using the Subtraction, minus / Additive inverse operation.

The arguments needed to create the new field are:

  • Minuend responseTime field

  • Subtrahend - Click the pencil icon and enter 100

You must create both arguments to convert the value fields to Minuend and Subtrahend. 

Click Create field and you will see the following result:

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new column. These are the valid formats of the Subtraction, minus / Additive inverse operation:

  • - number

  • - duration

  • number1 - number2 

  • duration1 - duration2

  • timestamp1 - timestamp2

  • timestamp - duration

  • sub(number)

  • sub(duration)

  • sub(number1, number2)

  • sub(duration1, duration2)

  • sub(timestamp1, timestamp2)

  • sub(timestamp, duration)

Example

You can copy the following LINQ scripts and try the above example on the demo.ecommerce.data table. 

from demo.ecommerce.data select bytesTransferred - 100 as `bytesTransferred-100`

or

from demo.ecommerce.data select sub(bytesTransferred, 100) as `bytesTransferred-100`