Splunk Search

Calculating fields containing multiple values

kamryn
Explorer

I have two fields that each contain the same number of multiple values. One contains epoch times for the start of an interface navigation (time1) the other contains epoch times for when the navigation finished loading (time2). I'd like to see how long between each navigation a user has to wait.

sourcetype=“XYZ” event=TimeMetrics
| spath output=time1 path=“metrics.progressMetrics{}.events{}.PROGRESS_START”
| spath output=time2 path=“metrics.progressMetrics{}.events{}.PROGRESS_END”
| eval timestart = mvindex(time1,0)
| eval timeend = mvindex(time2,0)
| eval timeremainder = timeend - timestart
| table timeremainder

Where I have timeremainder I am subtracting the timestart from the timeend and the remainder is how long the load time was. I had to specify the first value of each field in those two mvindex eval statements. The problem is there could be any number of navigations and I wouldn't be able to make a | eval timestart = mvindex(time1,0) for each of them.

Is there a way to tell Splunk for each value in a field to do something? Does anyone have a better idea as far as totaling the timeremainder?

Thanks

0 Karma
1 Solution

woodcock
Esteemed Legend

This may not scale well because of the map, but give it a try:

| makeresults count=5 
| eval host = 1
| streamstats count AS count 
| append 
    [| makeresults count=5 
    | eval host = 2
    | streamstats count AS count 
    | eval count = count * 13] 
| eval time1 = _time + 100 * count 
| eval time2 = time1 + 200 * count
| stats list(time*) AS time* BY host

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| eval equation = mvzip(time2, time1, "-")
| table host equation
| mvexpand equation
| map search="|makeresults | eval host=$host$, equation = [|makeresults | eval equation= $equation$ | return $equation]"

View solution in original post

woodcock
Esteemed Legend

This may not scale well because of the map, but give it a try:

| makeresults count=5 
| eval host = 1
| streamstats count AS count 
| append 
    [| makeresults count=5 
    | eval host = 2
    | streamstats count AS count 
    | eval count = count * 13] 
| eval time1 = _time + 100 * count 
| eval time2 = time1 + 200 * count
| stats list(time*) AS time* BY host

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| eval equation = mvzip(time2, time1, "-")
| table host equation
| mvexpand equation
| map search="|makeresults | eval host=$host$, equation = [|makeresults | eval equation= $equation$ | return $equation]"

kamryn
Explorer

Thank you so much. I was able to use bits and pieces of your recommendation to make this search.

sourcetype="XYZ" event=TimeMetrics
| spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(time2, time1,"-")
| mvexpand timeremainder
| table timeremainder

The output gives me these 11 events. This is great. I just need the difference in time (displayed here as epoch) between the two sets of numbers on each line.

1573497176218-1573497128423
1573497252033-1573497180136
1573497261518-1573497254009
1573497269017-1573497264028
1573497294907-1573497277368
1573497305420-1573497300005
1573497320716-1573497307228
1573497328259-1573497321342
1573497339106-1573497330161
1573497346430-1573497339834
1573497357228-1573497348029

I then tried to do this

sourcetype=“XYZ” event=TimeMetrics
| spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(time2, time1,".")
| mvexpand timeremainder
| rex field=timeremainder "(?<time2>.*)\.(?<time1>.*)"
| eval time1=strftime(time1/1000,"%d-%m-%Y %H:%M:%S")
| eval time2=strftime(time2/1000,"%d-%m-%Y %H:%M:%S")
| eval diff=time2-time1
| table time1,time2,diff

However, the diff does not return the difference in time. Do you have any suggestions?

time1   time2   diff
11-11-2019 12:32:08 11-11-2019 12:32:56  
11-11-2019 12:33:00 11-11-2019 12:34:12  
11-11-2019 12:34:14 11-11-2019 12:34:21  
11-11-2019 12:34:24 11-11-2019 12:34:29  
11-11-2019 12:34:37 11-11-2019 12:34:54  
11-11-2019 12:35:00 11-11-2019 12:35:05  
11-11-2019 12:35:07 11-11-2019 12:35:20  
11-11-2019 12:35:21 11-11-2019 12:35:28  
11-11-2019 12:35:30 11-11-2019 12:35:39  
11-11-2019 12:35:39 11-11-2019 12:35:46  
11-11-2019 12:35:48 11-11-2019 12:35:57  

Thanks

0 Karma

woodcock
Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype=“XYZ” AND event=TimeMetrics
 | spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
 | spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
 | eval timeremainder = mvzip(time2, time1,".")
 | mvexpand timeremainder
 | rex field=timeremainder "(?<time2>.*)\.(?<time1>.*)"
 | eval diff=(time2 - time1) / 1000
 | table time1,time2,diff

kamryn
Explorer

That was exactly what I need thank you. I can ask this next question in a new post if I need to. I don't want to bother you as my original question has already been answered. Thank you so much for your help.

What you have shown me is how to calculate the loading wait time between navigations. Based on this is there be a simple way to change this search to show the time the user spends between navigations?

With a little more explanation, PROGRESS_START is when the loading begins and PROGRESS_END is when the loading stops. Then PROGRESS_END is when the loading stops and the loaded interface is presented. PROGRESS_START is when the next navigation event occurs. This is the kind of the next and final step that I'm trying to figure out. The time between the first END and START.

0 Karma

woodcock
Esteemed Legend

Yes, post a new question.

kamryn
Explorer

Will do! Thanks again!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...