https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/504996#M2072 <P>Hi All,</P><P>I am trying to substract values (timestamps) of an mv field, but they are of differing lengths;</P><P>## example data:<BR />sysmodtime,idnumber,epoch time<BR />05/03/20 12:40 PM,1,1588502400<BR />05/01/20 12:01 AM,1,1588284060<BR />05/01/20 12:02 AM,1,1588284120<BR />05/01/20 12:02 AM,1,1588284120</P><P>05/02/20 12:00 PM,2,1588413600<BR />04/02/20 12:00 AM,2,1585778400<BR />04/02/20 01:00 AM,2,1585782000</P><P>04/02/20 02:00 AM,3,1585785600</P><P>##desired outcome: = new field time-diff at the end:<BR />sysmodtime,idnumber,epoch time,time_diff<BR />05/03/20 12:40 PM,1,1588502400,218340<BR />05/01/20 12:01 AM,1,1588284060,-60<BR />05/01/20 12:02 AM,1,1588284120,0<BR />05/01/20 12:02 AM,1,1588284120,empty</P><P>05/02/20 12:00 PM,2,1588413600,2635200<BR />04/02/20 12:00 AM,2,1585778400,-3600<BR />04/02/20 01:00 AM,2,1585782000,empty</P><P>04/02/20 02:00 AM,3,1585785600,empty</P><P><BR />-------------------------------<BR />The original data is about 200.000 rows long, so we are looking for a structural solution.</P><P>Is there a simple way to loop through the timestamp value inside the mvfield and substract it and place it in a new field<BR />Any suggestions would be very welcome,</P><P>Cheers,<BR />Roelof</P> Thu, 18 Jun 2020 14:44:56 GMT rvsroe 2020-06-18T14:44:56Z https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/504996#M2072 <P>Hi All,</P><P>I am trying to substract values (timestamps) of an mv field, but they are of differing lengths;</P><P>## example data:<BR />sysmodtime,idnumber,epoch time<BR />05/03/20 12:40 PM,1,1588502400<BR />05/01/20 12:01 AM,1,1588284060<BR />05/01/20 12:02 AM,1,1588284120<BR />05/01/20 12:02 AM,1,1588284120</P><P>05/02/20 12:00 PM,2,1588413600<BR />04/02/20 12:00 AM,2,1585778400<BR />04/02/20 01:00 AM,2,1585782000</P><P>04/02/20 02:00 AM,3,1585785600</P><P>##desired outcome: = new field time-diff at the end:<BR />sysmodtime,idnumber,epoch time,time_diff<BR />05/03/20 12:40 PM,1,1588502400,218340<BR />05/01/20 12:01 AM,1,1588284060,-60<BR />05/01/20 12:02 AM,1,1588284120,0<BR />05/01/20 12:02 AM,1,1588284120,empty</P><P>05/02/20 12:00 PM,2,1588413600,2635200<BR />04/02/20 12:00 AM,2,1585778400,-3600<BR />04/02/20 01:00 AM,2,1585782000,empty</P><P>04/02/20 02:00 AM,3,1585785600,empty</P><P><BR />-------------------------------<BR />The original data is about 200.000 rows long, so we are looking for a structural solution.</P><P>Is there a simple way to loop through the timestamp value inside the mvfield and substract it and place it in a new field<BR />Any suggestions would be very welcome,</P><P>Cheers,<BR />Roelof</P> Thu, 18 Jun 2020 14:44:56 GMT https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/504996#M2072 rvsroe 2020-06-18T14:44:56Z https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505016#M2073 <P>If I understand your data correctly, you may be able to use streamstats.</P><LI-CODE lang="markup">... | streamstats window=2 range('epoch timestamp') as time_diff</LI-CODE> Thu, 18 Jun 2020 15:46:02 GMT https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505016#M2073 richgalloway 2020-06-18T15:46:02Z https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505135#M2074 <P>I believe you will have to mvexpand out the fields first to get the mv field into separate rows and then run streamstats. Take this for example</P><LI-CODE lang="markup">| makeresults | eval _raw="sysmodtime,idnumber,epoch time 05/03/20 12:40 PM,1,1588502400 05/01/20 12:01 AM,1,1588284060 05/01/20 12:02 AM,1,1588284120 05/01/20 12:02 AM,1,1588284120 05/02/20 12:00 PM,2,1588413600 04/02/20 12:00 AM,2,1585778400 04/02/20 01:00 AM,2,1585782000 04/02/20 02:00 AM,3,1585785600" | multikv | stats list(*) as * by idnumber | eval x="So, up to here is your original data" | eval base=mvzip(sysmodtime,epoch_time) | fields - _raw linecount sysmodtime epoch_time | mvexpand base | rex field=base "(?&lt;sysmodtime&gt;[^,]*),(?&lt;epoch_time&gt;.*)" | fields - base | streamstats window=2 range(epoch_time) as time_diff by idnumber | stats list(*) as * by idnumber | eval time_diff=mvindex(time_diff,1,-1)</LI-CODE><P>That gives you what you want, but will be expensive to do the mvexpand and re-aggregations, but you can measure that.</P><P>As to calculating values inside MV fields, if you have Splunk 8 I think, then mvmap may be able to get you to where you want, I couldn't get it to work though - I've not used it before.</P> Fri, 19 Jun 2020 07:03:12 GMT https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505135#M2074 bowesmana 2020-06-19T07:03:12Z https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505162#M2075 <P>This worked perfectly, thank you very much, I've only added a strftime to convert epoch into hours and minutes:</P><P><SPAN>&nbsp;</SPAN><SPAN>| eval time_diff=strftime(mvindex(time_diff,1,-1),"%H:%M:%S") </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="forum1.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9248iF319F80223D2E474/image-size/medium?v=v2&amp;px=400" role="button" title="forum1.PNG" alt="forum1.PNG" /></span></P><P><SPAN>&nbsp;</SPAN></P> Fri, 19 Jun 2020 11:35:09 GMT https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505162#M2075 rvsroe 2020-06-19T11:35:09Z https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505163#M2076 <P>Thanks for the reply, streamstats was indeed helpful, I've accepted the other reply as answer though for its completeness</P> Fri, 19 Jun 2020 11:36:28 GMT https://community.splunk.com/t5/Splunk-ITSI/Summing-values-inside-mvfield/m-p/505163#M2076 rvsroe 2020-06-19T11:36:28Z