Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate time difference between multivalue fields

ayush1234
New Member
‎07-15-2020 05:47 AM

Hi , I have a data from search in below format
Name       provider1IN                 provider1OUT               provider2IN             provider2OUT
ABC               13:00                             14:00                            15:00                                 16:00
                         17:00                             18:00                            19:00                                 20:00
BCD                                                                                                  21:00                                22:00
                                                                                                           23:00                                 23:30

here, for ABC, Intime at provider 1 is at 13:00 and 17:00 hours and  out time is 14:00 and 18:00 hours. Similary at provider 2, intime is 15:00 and 19:00 hours and out time is 16:00 and 20:00 hours
For BCD, provider1 intime and outtime are null values and only provider2 intime and outtime has value as shown in above table.

Requirement : I need to calculate total time spent by ABC and BCD in provider1 and provider 2
which means what I want to achieve is

ABC                       provider1time                                            provider2time
                                (14:00-13:00)+(18:00-17:00)             (16:00-15:00)+(20:00-19:00)
BCD                                      0                                                       (22:00-21:00)+(23:30-23:00)

Kindly help and suggest how can I achieve the above result 
I am using stats list function to retrieve the multivalue intime and outtime.

Thanks for the help in advance.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 08:48 AM

I think stats list has painted you into a corner.  Can you remove that and use eval to compute the difference between IN and OUT for each provider?  Then use stats to sum the differences.

... | eval provider1diff = strptime(provider1OUT, "%H:%M") - strptime(provider1IN, "%H:%M"), provider2diff = strptime(provider1OUT, "%H:%M") - strptime(provider2IN, "%H:%M")
| stats sum(provider1diff) as provider1time, sum(provider2diff) as provider2time by Name
| fillnull value=0
---
If this reply helps you, Karma would be appreciated.
Reply

ayush1234
New Member
‎07-15-2020 09:16 AM
Thanks @richgalloway But since for each Name , provider1IN,provider1OUT,provider2IN,provider2OUT are multivalue fields, a direct subtraction is not working. I have to use list to get all the times when request was sent to provider and when response was received.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 09:45 AM
Don't use stats list. Then you won't have multi-value fields. That's the crux of my reply.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ayush1234
New Member
‎07-15-2020 08:28 PM

Hi @richgalloway 
I have to either use
stats list(eval(if(Source="Provider1",_time,null()))) as Provider1IN list(eval(if(Destination="Provider1",_time,null()))) as Provider1OUT

OR 

stats values(eval(if(Source="Provider1",_time,null()))) as Provider1IN values(eval(if(Destination="Provider1",_time,null()))) as Provider1OUT

In either case, Provider1IN and Provider1OUT are multivalue field and similar for Provider2IN and Provider2OUT

Apologies if I am confusing here, I am new to this and trying to find my way out.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 06:49 AM
Where did the mandate to use list or values come from?
Can you share the full search in case there's another way to reach the same goal?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...