Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Summing epoch values within a JSON field

Esky73
Builder
‎10-19-2017 08:03 PM

I have ingested a JSON file which shows me how long spent on an app on my phone and looks like (below)
The fields have been extracted using KV_MODE = json which extracts the fields.
The "tc" field consists of arrays of start epoch time and stop epoch time.
Looking for a way to calculate the duration between start and stop time and sum the totals of the time pairs ?

{ "id": "4bd3f831", "pn": "com.mixcloud.player414", "pvc": "414", "tc": [ [ 1508278704589, 1508278705604 ], [ 1508278705751, 1508278707123 ], [ 1508278707180, 1508278708056 ], [ 1508278708101, 1508278708927 ], [ 1508278709604, 1508278716390 ], [ 1508278836263, 1508278837301 ], [ 1508278837693, 1508278851610 ], [ 1508278861521, 1508278862569 ], [ 1508278862931, 1508278868520 ], [ 1508302373918, 1508302374962 ], [ 1508302375336, 1508302383102 ], [ 1508363224848, 1508363225862 ], [ 1508363226458, 1508363235766 ], [ 1508404509296, 1508404510357 ], [ 1508404510843, 1508404520545 ], [ 1508404520674, 1508404528311 ] ] },

Thx.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-19-2017 09:32 PM

Try this...

| streamstats count as recno
| appendpipe 
    [| fields recno 
     | rex field=_raw "\[\s*(?<starttime>\d+),\s*(?<stoptime>\d+)\s*\]" max_match=0
     | eval myFan=mvrange(0,mvcount(starttime)) 
     | mvexpand myFan 
     | eval duration=tonumber(mvindex(stoptime,myFan)) - tonumber(mvindex(starttime,myFan))
     | stats sum(duration) as duration count as killme by recno
    ]
| eventstats values(duration)  as duration by recno
| where isnull(killme)

updated typo +* to *, updated eval duration to use tonumber() on the results before subtracting.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-19-2017 09:32 PM

Try this...

| streamstats count as recno
| appendpipe 
    [| fields recno 
     | rex field=_raw "\[\s*(?<starttime>\d+),\s*(?<stoptime>\d+)\s*\]" max_match=0
     | eval myFan=mvrange(0,mvcount(starttime)) 
     | mvexpand myFan 
     | eval duration=tonumber(mvindex(stoptime,myFan)) - tonumber(mvindex(starttime,myFan))
     | stats sum(duration) as duration count as killme by recno
    ]
| eventstats values(duration)  as duration by recno
| where isnull(killme)

updated typo +* to *, updated eval duration to use tonumber() on the results before subtracting.

Reply
Solved! Jump to solution

Esky73
Builder
‎10-19-2017 10:12 PM

Thanks @DalJeanis .. there was a slight typo in the rex cmd :
amended to - rex field=_raw "\[\s*(?\d+),\s*(?\d+)\s*\]" max_match=0
But now i see the following error ..
Error in 'eval' command: Typechecking failed. '-' only takes numbers.

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎10-22-2017 03:33 PM

separated the eval cmd which worked with the following - thx ...

index=test pn="*"
| streamstats count as recno 
| appendpipe 
    [| fields recno 
    | rex field=_raw "\[\s*(?<starttime>\d+),\s*(?<stoptime>\d+)\s*\]" max_match=0 
    | eval myFan=mvrange(0,mvcount(starttime)) 
    | mvexpand myFan 
    | eval stopduration=mvindex(stoptime,myFan) 
    | eval startduration=mvindex(starttime,myFan) 
    | eval duration=stopduration-startduration 
    | stats sum(duration) as duration count as killme by recno
    ] 
| eventstats values(duration) as duration by recno 
| where isnull(killme)
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-22-2017 05:28 PM

@Esky73 - interesting.

I would have done this, but your way is fine.

  | eval duration=tonumber(mvindex(stoptime,myFan)) - tonumber(mvindex(starttime,myFan))

Updated the answer to fix the typo and add the the tonumber() typing.

Please accept the answer so it will show as closed.

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎11-02-2017 04:59 PM

With the output from the above search - how to sum the duration of the same processes so sum of com.teslcoilsw.launcher.* and sum of com.facebook.katana.* ?

1 com.teslacoilsw.launcher54100 391.27
2 com.teslacoilsw.launcher54100 382.81
3 com.teslacoilsw.launcher54100 285.94
4 com.teslacoilsw.launcher53000 270.90
5 com.facebook.katana75931115 102.39
6 com.whatsapp452018 89.20
7 com.facebook.katana75931115 75.37
8 com.facebook.katana74851857 58.64

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...