https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473774#M133310 <P>@zhonk </P> <P>Did you check individually -- query debug</P> <P>are u getting Heart Beat epoch and _time epoch converting or not..</P> Fri, 17 Apr 2020 11:35:21 GMT harishalipaka 2020-04-17T11:35:21Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473768#M133304 <P>Hello I have a search with an MV Value this is called HeartBeatTime. I like to create an allert when the HeartBeatTime is over 5 Minute. My question is how can I get the time diff about _time and HeartBeatTime?</P> <P>Here is my search:</P> <P><CODE><BR /> index=<EM>temp host="ctw-prod-qa" <BR /> | rex max_match=5 "serviceUserName=\"(?[^\"]</EM>)" <BR /> | rex max_match=5 "serviceIPAddress=\"(?[^\"]<EM>)" <BR /> | rex max_match=5 "serviceStartupTime=\"(?[^\"]</EM>)" <BR /> | rex max_match=5 "serviceStatus=\"(?[^\"]<EM>)" <BR /> | rex max_match=5 "serviceHeartBeatTime=\"(?[^\"]</EM>)" <BR /> | eval User_Number = mvcount(UserName) <BR /> | eval TimeDiff=_time - strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")<BR /> | table _time,UserName,Status, HeartBeatTime,TimeDiff, IPAddress, User_Number <BR /> | eval final_User_Number=if(isnotnull(User_Number),User_Number,0)<BR /> </CODE></P> Wed, 30 Sep 2020 04:58:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473768#M133304 zhonk 2020-09-30T04:58:23Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473769#M133305 <P>hi @zhonk</P> <P><STRONG>Updated my Answer Please try like below</STRONG> @zhonk </P> <PRE><CODE>|makeresults |eval HeartBeatTime="2020-04-16 12:23:32.9",heartbeatEpoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N"),Time=_time|eval TimeDiff=Time-heartbeatEpoch,diff=tostring(TimeDiff,"Duration") </CODE></PRE> Fri, 17 Apr 2020 08:36:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473769#M133305 harishalipaka 2020-04-17T08:36:14Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473770#M133306 <P>Hi @harishalipaka i have change the code but the field TimeDiff is empty.</P> Fri, 17 Apr 2020 08:52:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473770#M133306 zhonk 2020-04-17T08:52:03Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473771#M133307 <P>What's your Splunk version?<BR /> some multivalue function need version 8.</P> Fri, 17 Apr 2020 10:53:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473771#M133307 to4kawa 2020-04-17T10:53:05Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473772#M133308 <P>Hi @to4kawa our splunk version is 7.3.4.</P> Fri, 17 Apr 2020 11:31:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473772#M133308 zhonk 2020-04-17T11:31:38Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473773#M133309 <P>your <CODE>|eval TimeDiff=_tmie - sp...</CODE> can't work, because HeartBeatTime is multivalue.<BR /> Correcting query is difficult, will you provide logs?</P> Fri, 17 Apr 2020 11:35:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473773#M133309 to4kawa 2020-04-17T11:35:19Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473774#M133310 <P>@zhonk </P> <P>Did you check individually -- query debug</P> <P>are u getting Heart Beat epoch and _time epoch converting or not..</P> Fri, 17 Apr 2020 11:35:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473774#M133310 harishalipaka 2020-04-17T11:35:21Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473775#M133311 <P>Hi,<BR /> it works now, with a little trick.</P> <P>With mvzip I create one field with all Multivalues and after that I expand it. So I get for each UserName one line and can make the Diff calc.<BR /> Here is my new Code:</P> <P>index=<EM>temp host="ctw-prod-qa" <BR /> | rex max_match=5 "serviceUserName=\"(?[^\"]</EM>)" <BR /> | rex max_match=5 "serviceStatus=\"(?[^\"]<EM>)" <BR /> | rex max_match=5 "serviceIPAddress=\"(?[^\"]</EM>)" <BR /> | rex max_match=5 "serviceHeartBeatTime=\"(?[^\"]<EM>)" <BR /> | rex max_match=5 "serviceStartupTime=\"(?[^\"]</EM>)" <BR /> | eval HeartBeatTime=if(isnotnull(HeartBeatTime),HeartBeatTime,"1970-01-01 01:00:00.000")</P> <P>| eval User_Number = mvcount(UserName)<BR /> | eval final_User_Number=if(isnotnull(User_Number),User_Number,0)<BR /> | eval Feld1 = mvzip(UserName,HeartBeatTime)<BR /><BR /> | eval Feld1 = mvzip(Feld1,Status) <BR /> | eval Feld1 = mvzip(Feld1,IPAddress) <BR /> | eval Feld1 = mvzip(Feld1,Startuptime)<BR /> | mvexpand Feld1<BR /> | rex field=Feld1 "(?\w*),(?\S*\s*\S*),(?\w*),(?\S*),(?\S*\s*\S*)" </P> <P>| eval Time=_time <BR /> |eval heartbeaepoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")<BR /> | eval TimeDiff=Time - heartbeaepoch<BR /> | table _time, UserName,Startuptime , HeartBeatTime,Status,IPAddress,TimeDiff, User_Number, final_User_Number</P> <P>Thanks </P> Wed, 30 Sep 2020 05:02:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473775#M133311 zhonk 2020-09-30T05:02:16Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473776#M133312 <P>@zhonk If your problem is resolved then please accept an answer to help future readers.</P> Fri, 17 Apr 2020 12:05:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-time-field-from-Multifield-value/m-p/473776#M133312 richgalloway 2020-04-17T12:05:26Z