Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract _time field from Multifield value

zhonk
Explorer
‎04-17-2020 01:13 AM

Hello I have a search with an MV Value this is called HeartBeatTime. I like to create an allert when the HeartBeatTime is over 5 Minute. My question is how can I get the time diff about _time and HeartBeatTime?

Here is my search:


index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| eval User_Number = mvcount(UserName)
| eval TimeDiff=_time - strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| table _time,UserName,Status, HeartBeatTime,TimeDiff, IPAddress, User_Number
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

zhonk
Explorer
‎04-17-2020 04:37 AM

Hi,
it works now, with a little trick.

With mvzip I create one field with all Multivalues and after that I expand it. So I get for each UserName one line and can make the Diff calc.
Here is my new Code:

index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| eval HeartBeatTime=if(isnotnull(HeartBeatTime),HeartBeatTime,"1970-01-01 01:00:00.000")

| eval User_Number = mvcount(UserName)
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)
| eval Feld1 = mvzip(UserName,HeartBeatTime)

| eval Feld1 = mvzip(Feld1,Status)
| eval Feld1 = mvzip(Feld1,IPAddress)
| eval Feld1 = mvzip(Feld1,Startuptime)
| mvexpand Feld1
| rex field=Feld1 "(?\w*),(?\S*\s*\S*),(?\w*),(?\S*),(?\S*\s*\S*)"

| eval Time=_time
|eval heartbeaepoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| eval TimeDiff=Time - heartbeaepoch
| table _time, UserName,Startuptime , HeartBeatTime,Status,IPAddress,TimeDiff, User_Number, final_User_Number

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

zhonk
Explorer
‎04-17-2020 04:37 AM

Hi,
it works now, with a little trick.

With mvzip I create one field with all Multivalues and after that I expand it. So I get for each UserName one line and can make the Diff calc.
Here is my new Code:

index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| eval HeartBeatTime=if(isnotnull(HeartBeatTime),HeartBeatTime,"1970-01-01 01:00:00.000")

| eval User_Number = mvcount(UserName)
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)
| eval Feld1 = mvzip(UserName,HeartBeatTime)

| eval Feld1 = mvzip(Feld1,Status)
| eval Feld1 = mvzip(Feld1,IPAddress)
| eval Feld1 = mvzip(Feld1,Startuptime)
| mvexpand Feld1
| rex field=Feld1 "(?\w*),(?\S*\s*\S*),(?\w*),(?\S*),(?\S*\s*\S*)"

| eval Time=_time
|eval heartbeaepoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| eval TimeDiff=Time - heartbeaepoch
| table _time, UserName,Startuptime , HeartBeatTime,Status,IPAddress,TimeDiff, User_Number, final_User_Number

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 05:05 AM

@zhonk If your problem is resolved then please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 03:53 AM

What's your Splunk version?
some multivalue function need version 8.

0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎04-17-2020 04:31 AM

Hi @to4kawa our splunk version is 7.3.4.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 04:35 AM

your |eval TimeDiff=_tmie - sp... can't work, because HeartBeatTime is multivalue.
Correcting query is difficult, will you provide logs?

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-17-2020 01:36 AM

hi @zhonk

Updated my Answer Please try like below @zhonk 

|makeresults |eval HeartBeatTime="2020-04-16 12:23:32.9",heartbeatEpoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N"),Time=_time|eval TimeDiff=Time-heartbeatEpoch,diff=tostring(TimeDiff,"Duration")
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎04-17-2020 01:52 AM

Hi @harishalipaka i have change the code but the field TimeDiff is empty.

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-17-2020 04:35 AM

@zhonk

Did you check individually -- query debug

are u getting Heart Beat epoch and _time epoch converting or not..

Thanks
Harish
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...