https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432293#M123518 <P>Hi there,</P> <P>I'm fairly new to Splunk searches.<BR /> I have a search in a log : <CODE>index=tutti sourcetype=toto status!=4</CODE></P> <P>Where I have 4 fields of interest namely : BeginTime (in epoch format), EndTime (in epoch format), LogTime (in epoch format) and Attempts.<BR /> I want a search that would generate a dynamic multi-value field ("|" separated), let's call it LogTimes, based on the following logic :</P> <PRE><CODE>If Attempts =1 then LogTimes = LogTime elsif Attempts =2 then LogTimes = BeginTime|EndTime elsif Attempts =3 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/2|EndTime elsif Attempts = 4 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/3|BeginTime+2*(EndTime-BeginTime)/3|EndTime </CODE></PRE> <P>Then it should count every timestamp occurrence (every single value in LogTimes) at the end.</P> <PRE><CODE>elsif Attempts = n then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/(n-1)|BeginTime+2*(EndTime-BeginTime)/(n-1)|..............|BeginTime+(n-2)*(EndTime-BeginTime)/(n-1)|EndTime </CODE></PRE> <P>Can someone help me, please?</P> Mon, 17 Jun 2019 19:06:25 GMT elaoumam 2019-06-17T19:06:25Z https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432293#M123518 <P>Hi there,</P> <P>I'm fairly new to Splunk searches.<BR /> I have a search in a log : <CODE>index=tutti sourcetype=toto status!=4</CODE></P> <P>Where I have 4 fields of interest namely : BeginTime (in epoch format), EndTime (in epoch format), LogTime (in epoch format) and Attempts.<BR /> I want a search that would generate a dynamic multi-value field ("|" separated), let's call it LogTimes, based on the following logic :</P> <PRE><CODE>If Attempts =1 then LogTimes = LogTime elsif Attempts =2 then LogTimes = BeginTime|EndTime elsif Attempts =3 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/2|EndTime elsif Attempts = 4 then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/3|BeginTime+2*(EndTime-BeginTime)/3|EndTime </CODE></PRE> <P>Then it should count every timestamp occurrence (every single value in LogTimes) at the end.</P> <PRE><CODE>elsif Attempts = n then LogTimes = BeginTime|BeginTime+(EndTime-BeginTime)/(n-1)|BeginTime+2*(EndTime-BeginTime)/(n-1)|..............|BeginTime+(n-2)*(EndTime-BeginTime)/(n-1)|EndTime </CODE></PRE> <P>Can someone help me, please?</P> Mon, 17 Jun 2019 19:06:25 GMT https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432293#M123518 elaoumam 2019-06-17T19:06:25Z https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432294#M123519 <P>Can we have some sample data and corresponding output? Is the Attempts a field with literal numerical value of 1,2,3,4....?</P> Mon, 17 Jun 2019 21:07:37 GMT https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432294#M123519 somesoni2 2019-06-17T21:07:37Z https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432295#M123520 <P>Hi @somesoni2, yes it's a field with strict numerical values 1,2, 3, 4...<BR /> a data sample would look like :<BR /> Transaction_ID, status, Attempts, BeginTime, EndTime, LogTime<BR /> aH345kli, 0, 5, 1560861000, 1560864000, 1560863000</P> Tue, 18 Jun 2019 14:10:57 GMT https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432295#M123520 elaoumam 2019-06-18T14:10:57Z https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432296#M123521 <P>Basically if I have an event like the following :<BR /> Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime<BR /> aH345kli,0,3,1560861000,1560864000,1560863000<BR /> I should end up with something like :<BR /> Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime,LogTimes<BR /> aH345kli,0,3,1560861000,1560864000,1560863000,1560861000|1560862500|1560864000<BR /> If it's like :<BR /> Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime<BR /> aH345kli,0,1,1560861000,1560864000,1560863000<BR /> It should be :<BR /> Transaction_ID,status,Attempts,BeginTime,EndTime,LogTime,LogTimes<BR /> aH345kli,0,1,1560861000,1560864000,1560863000,1560863000<BR /> and so on.<BR /> And then return the corresponding total count of each timestamp in LogTimes (on all event) in a span of 1 min.</P> Wed, 30 Sep 2020 01:00:50 GMT https://community.splunk.com/t5/Splunk-Search/Generate-a-dynamic-multi-value-field-based-on-a-specific-field/m-p/432296#M123521 elaoumam 2020-09-30T01:00:50Z