topic Re: Unable to calculate a difference after using mvindex with _time field in Splunk Search

Unable to calculate a difference after using mvindex with _time field

tewarbit — Mon, 05 Aug 2019 17:38:14 GMT

I am using a transaction to combine events and I want to calculate the difference in time between the two events. I am getting a "Typechecking failed. '-' only takes numbers" error when trying to do subtraction on the _time field. Is there a way to do this?
Here is my search:

"Starting task" OR "Terminating task"
| eval myTime = _time 
| transaction pid 
| eval duration = mvindex(myTime, 1)-mvindex(myTime, 0), startTime = strftime(mvindex(myTime, 0), "%m/%d/%Y %H:%M:%S"), endTime = strftime(mvindex(myTime, 1), "%m/%d/%Y %H:%M:%S") 
| table pid startTime endTime duration

***Edit*
Responding to grittonc's question:
Yes - I am certain myTime is multi-valued. I can properly see the startTime and endTime values populating correctly in my table. Also - here is a snippet of the combined event:

Re: Unable to calculate a difference after using mvindex with _time field

grittonc — Mon, 05 Aug 2019 18:28:26 GMT

Are you sure that you are ending up with a multi-value field called myTime? Can you post sample data, anonymized if necessary?

Re: Unable to calculate a difference after using mvindex with _time field

grittonc — Mon, 05 Aug 2019 19:11:44 GMT

You either need to calculate the epoch time start and end first, or add tonumber() to convert them to numbers:

| eval end=mvindex(myTime, 1), start=mvindex(myTime, 0), duration = end-start

|eval duration=tonumber(mvindex(myTime, 1))-tonumber(mvindex(myTime, 0))

Re: Unable to calculate a difference after using mvindex with _time field

tewarbit — Mon, 05 Aug 2019 19:20:44 GMT

Both ways worked perfectly. Thanks!