Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Why do I get an empty output when subtracting one ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do I get an empty output when subtracting one time field from the main query and another from the subquery?
I am retrieving two time fields one from main query and other from subquery. When I subtract both fields, I get blank output.
Query I am using:
index=main host=* *CRgsSessionInfo* PrimaryUserLogin=PrimaryUserLogOn | eval Time = _time | append [search host=* *CRgsSessionInfo PrimaryUserLogin=PrimaryUserLogoff | eval Time1 = _time ] | eval Diff= Time1-Time |table Diff
marked code. dmj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easier fix would be to use appendcols command instead of append (assuming both your searches gives a single rows result). With some cleanup/best practices, it'd look like this
index=main host=* *CRgsSessionInfo* PrimaryUserLogin=PrimaryUserLogOn | eval Time = _time | table Time| appendcols [search host=* *CRgsSessionInfo PrimaryUserLogin=PrimaryUserLogoff | eval Time1 = _time | table Time1] | eval Diff= Time1-Time |table Diff
Better approach is the one suggested by @DalJeanis, when you can completely eliminate subsearch, so look at that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, there are a number of issues here.
First, you are not giving yourself all the other contextual fields, so you have no way to interpret your results and why they are empty. If you looked at the results without the table command, you would be able to get farther.
Second, you are appending two sets of records, so there are separate records, some for logons and some for logoffs. none of those records have both a logon and a logoff on them, so the diff will always be null. You can actually select all those same records at the same time, but you still need to link them.
Third, you are not connecting the two records in any way. stats is one example of a verb that can be used to pull together different records, if you have a mutual key field. One would assume there is a user field, and a host field. so maybe this is the way they should be connected.
index=main host=* *CRgsSessionInfo* (PrimaryUserLogin="PrimaryUserLogOn" OR PrimaryUserLogin="PrimaryUserLogoff")
| fields _time host user PrimaryUserLogin
| eval timein=case(PrimaryUserLogin="PrimaryUserLogOn",_time)
| eval timeout=case(PrimaryUserLogin="PrimaryUserLogoff",_time)
| stats count min(timein) as timein max(timeout) as timeout by host user
| eval Diff =timeout-timein
If count is greater than 2, then it means you have multiple logins and logouts and you need a more complex search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Daljeanis,
Thank you, above query worked for me. But my count is greater than 2 can you suggest something to handle multiple logins?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
