Splunk Search

Calculating fields containing multiple values


I have two fields that each contain the same number of multiple values. One contains epoch times for the start of an interface navigation (time1) the other contains epoch times for when the navigation finished loading (time2). I'd like to see how long between each navigation a user has to wait.

sourcetype=“XYZ” event=TimeMetrics
| spath output=time1 path=“metrics.progressMetrics{}.events{}.PROGRESS_START”
| spath output=time2 path=“metrics.progressMetrics{}.events{}.PROGRESS_END”
| eval timestart = mvindex(time1,0)
| eval timeend = mvindex(time2,0)
| eval timeremainder = timeend - timestart
| table timeremainder

Where I have timeremainder I am subtracting the timestart from the timeend and the remainder is how long the load time was. I had to specify the first value of each field in those two mvindex eval statements. The problem is there could be any number of navigations and I wouldn't be able to make a | eval timestart = mvindex(time1,0) for each of them.

Is there a way to tell Splunk for each value in a field to do something? Does anyone have a better idea as far as totaling the timeremainder?


0 Karma
1 Solution

Esteemed Legend

This may not scale well because of the map, but give it a try:

| makeresults count=5 
| eval host = 1
| streamstats count AS count 
| append 
    [| makeresults count=5 
    | eval host = 2
    | streamstats count AS count 
    | eval count = count * 13] 
| eval time1 = _time + 100 * count 
| eval time2 = time1 + 200 * count
| stats list(time*) AS time* BY host

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| eval equation = mvzip(time2, time1, "-")
| table host equation
| mvexpand equation
| map search="|makeresults | eval host=$host$, equation = [|makeresults | eval equation= $equation$ | return $equation]"

View solution in original post

Esteemed Legend

This may not scale well because of the map, but give it a try:

| makeresults count=5 
| eval host = 1
| streamstats count AS count 
| append 
    [| makeresults count=5 
    | eval host = 2
    | streamstats count AS count 
    | eval count = count * 13] 
| eval time1 = _time + 100 * count 
| eval time2 = time1 + 200 * count
| stats list(time*) AS time* BY host

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| eval equation = mvzip(time2, time1, "-")
| table host equation
| mvexpand equation
| map search="|makeresults | eval host=$host$, equation = [|makeresults | eval equation= $equation$ | return $equation]"


Thank you so much. I was able to use bits and pieces of your recommendation to make this search.

sourcetype="XYZ" event=TimeMetrics
| spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(time2, time1,"-")
| mvexpand timeremainder
| table timeremainder

The output gives me these 11 events. This is great. I just need the difference in time (displayed here as epoch) between the two sets of numbers on each line.


I then tried to do this

sourcetype=“XYZ” event=TimeMetrics
| spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(time2, time1,".")
| mvexpand timeremainder
| rex field=timeremainder "(?<time2>.*)\.(?<time1>.*)"
| eval time1=strftime(time1/1000,"%d-%m-%Y %H:%M:%S")
| eval time2=strftime(time2/1000,"%d-%m-%Y %H:%M:%S")
| eval diff=time2-time1
| table time1,time2,diff

However, the diff does not return the difference in time. Do you have any suggestions?

time1   time2   diff
11-11-2019 12:32:08 11-11-2019 12:32:56  
11-11-2019 12:33:00 11-11-2019 12:34:12  
11-11-2019 12:34:14 11-11-2019 12:34:21  
11-11-2019 12:34:24 11-11-2019 12:34:29  
11-11-2019 12:34:37 11-11-2019 12:34:54  
11-11-2019 12:35:00 11-11-2019 12:35:05  
11-11-2019 12:35:07 11-11-2019 12:35:20  
11-11-2019 12:35:21 11-11-2019 12:35:28  
11-11-2019 12:35:30 11-11-2019 12:35:39  
11-11-2019 12:35:39 11-11-2019 12:35:46  
11-11-2019 12:35:48 11-11-2019 12:35:57  


0 Karma

Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype=“XYZ” AND event=TimeMetrics
 | spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
 | spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
 | eval timeremainder = mvzip(time2, time1,".")
 | mvexpand timeremainder
 | rex field=timeremainder "(?<time2>.*)\.(?<time1>.*)"
 | eval diff=(time2 - time1) / 1000
 | table time1,time2,diff


That was exactly what I need thank you. I can ask this next question in a new post if I need to. I don't want to bother you as my original question has already been answered. Thank you so much for your help.

What you have shown me is how to calculate the loading wait time between navigations. Based on this is there be a simple way to change this search to show the time the user spends between navigations?

With a little more explanation, PROGRESS_START is when the loading begins and PROGRESS_END is when the loading stops. Then PROGRESS_END is when the loading stops and the loaded interface is presented. PROGRESS_START is when the next navigation event occurs. This is the kind of the next and final step that I'm trying to figure out. The time between the first END and START.

0 Karma

Esteemed Legend

Yes, post a new question.


Will do! Thanks again!

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...