https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660590#M228079 <P>Hey you may need to change them to a string. Can&nbsp; you try this and let me know if it works ( I am new to Splunk lol)</P><LI-CODE lang="markup">MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff= tostring((MyEndUnix - MyStartUnix),"duration") | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff</LI-CODE><P>&nbsp;</P> Thu, 12 Oct 2023 21:51:14 GMT Law2 2023-10-12T21:51:14Z https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660582#M228078 <P>I'm having trouble getting a duration between two timestamps from some extracted fields.<BR /><BR />My search looks like this:</P><P>&nbsp;</P><LI-CODE lang="markup">MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff=MyEndUnix-MyStartUnix | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff</LI-CODE><P>&nbsp;</P><P><BR />And my table is returned as:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="20%">MyStartTime</TD><TD width="20%">MyEndTime</TD><TD width="20%">MyStartUnix</TD><TD width="20%">MyEndUnix</TD><TD width="20%">diff</TD></TR><TR><TD width="20%"><DIV class="">2023-10-10T14:48:39</DIV></TD><TD width="20%"><DIV class="">2023-10-10T14:15:15</DIV></TD><TD width="20%"><DIV class="">1696963719.000000</DIV></TD><TD width="20%"><DIV class="">1696961715.000000</DIV></TD><TD width="20%">&nbsp;</TD></TR><TR><TD width="20%">2023-10-10T14:57:50</TD><TD width="20%">2023-10-10T13:56:53</TD><TD width="20%">1696964270.000000</TD><TD width="20%">1696960613.000000</TD><TD width="20%">&nbsp;</TD></TR></TBODY></TABLE> Thu, 12 Oct 2023 19:24:53 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660582#M228078 pgates 2023-10-12T19:24:53Z https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660590#M228079 <P>Hey you may need to change them to a string. Can&nbsp; you try this and let me know if it works ( I am new to Splunk lol)</P><LI-CODE lang="markup">MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff= tostring((MyEndUnix - MyStartUnix),"duration") | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff</LI-CODE><P>&nbsp;</P> Thu, 12 Oct 2023 21:51:14 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660590#M228079 Law2 2023-10-12T21:51:14Z https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660591#M228080 <P>With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in this case since strptime should give you a number it would be a bit surprising.</P> Thu, 12 Oct 2023 22:11:06 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660591#M228080 PickleRick 2023-10-12T22:11:06Z https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660665#M228091 <P>No, that doesn't work.&nbsp; I believe the reason it doesn't work is because it is just attempting to change the value of the equation (end - start) to a string, and that value appears to be empty for some reason.</P><P>I appreciate the try though.</P> Fri, 13 Oct 2023 12:54:29 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660665#M228091 pgates 2023-10-13T12:54:29Z https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660777#M228141 <P>I have a strong suspicion that your mock output is misleading. &nbsp;The correct mock output most likely look like this instead:</P><TABLE><TBODY><TR><TD><DIV class="">MyStartTime</DIV></TD><TD><DIV class="">MyEndTime</DIV></TD><TD><DIV class="">MyStartUnix</DIV></TD><TD><DIV class="">MyEndUnix</DIV></TD><TD><DIV class="">diff</DIV></TD></TR><TR><TD><DIV class="">2023-10-10T14:48:39</DIV><DIV class="">2023-10-10T14:57:50</DIV></TD><TD><DIV class="">2023-10-10T14:15:15</DIV><DIV class="">2023-10-10T13:56:53</DIV></TD><TD><DIV class="">1696974519.000000</DIV><DIV class="">1696975070.000000</DIV></TD><TD><DIV class="">1696972515.000000</DIV><DIV class="">1696971413.000000</DIV></TD><TD><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV></TD></TR></TBODY></TABLE><P>In other words, instead of the two start and end pairs in two rows, they are in the same row for a given value of AnotherField which you didn't show.</P><P>This is because you use list function by AnotherField. &nbsp;Very likely there are more than one start-end pairs per AnotherField. &nbsp;These multivalued fields cannot be used in arithmetic operations directly. &nbsp;Before I describe a method to handle multivalue fields, let me first get some clarifications.</P><OL><LI>Is it really important to use list function? &nbsp;Are there overlapping MyStartTime, overlapping MyEndTime, or overlapping intervals that magically end up in the correct sequence? &nbsp;If not, using values is a lot cheaper and you won't be subject to memory limitations. (Because we are looking at ISO timestamps, values with order them correctly.)</LI><LI>Is it really important to calculate diff after stats? &nbsp;If you are listing/tallying values of every start-end pair, it is actually cheaper to calculate diff before stats. (If MyStartTime and MyEndTime don't appear in the same event, of course, you don't have a choice.)</LI><LI>I cannot see real importance of listing MyStartUnix and MyEndUnix in final results, so the following will simply ignore them.</LI></OL><P>With these caveats, you can use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvmap.28.26lt.3Bmv.26gt.3B.2C.26lt.3Bexpression.26gt.3B.29" target="_blank" rel="noopener">mvmap</A> to handle multivalued field after stats. &nbsp;In the following, I assume that each start is paired with an end.</P><P>&nbsp;</P><LI-CODE lang="markup">MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval idx = mvrange(0, mvcount(MyStartTime)) | eval diff=mvmap(idx, strptime(mvindex(MyEndTime, idx), "%Y-%m-%dT%H:%M:%S")-strptime(mvindex(MyStartTime, idx), "%Y-%m-%dT%H:%M:%S")) | fields - idx</LI-CODE><P>&nbsp;</P><P>This will give you</P><TABLE><TBODY><TR><TD>AnotherField</TD><TD><DIV class="">MyStartTime</DIV></TD><TD><DIV class="">MyEndTime</DIV></TD><TD><DIV class="">diff</DIV></TD></TR><TR><TD>another</TD><TD><DIV class="">2023-10-10T14:48:39</DIV><DIV class="">2023-10-10T14:57:50</DIV></TD><TD><DIV class="">2023-10-10T14:15:15</DIV><DIV class="">2023-10-10T13:56:53</DIV></TD><TD><DIV class="">-2004.000000</DIV><DIV class="">-3657.000000</DIV></TD></TR></TBODY></TABLE><P>(Your samples have ends before starts, hence negative diffs.)</P><P>&nbsp;</P> Sat, 14 Oct 2023 10:06:54 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-Duration-of-Extracted-Fields/m-p/660777#M228141 yuanliu 2023-10-14T10:06:54Z