Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract _time field from Multifield value

zhonk
Explorer
‎04-17-2020 01:13 AM

Hello I have a search with an MV Value this is called HeartBeatTime. I like to create an allert when the HeartBeatTime is over 5 Minute. My question is how can I get the time diff about _time and HeartBeatTime?

Here is my search:


index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| eval User_Number = mvcount(UserName)
| eval TimeDiff=_time - strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| table _time,UserName,Status, HeartBeatTime,TimeDiff, IPAddress, User_Number
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

zhonk
Explorer
‎04-17-2020 04:37 AM

Hi,
it works now, with a little trick.

With mvzip I create one field with all Multivalues and after that I expand it. So I get for each UserName one line and can make the Diff calc.
Here is my new Code:

index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| eval HeartBeatTime=if(isnotnull(HeartBeatTime),HeartBeatTime,"1970-01-01 01:00:00.000")

| eval User_Number = mvcount(UserName)
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)
| eval Feld1 = mvzip(UserName,HeartBeatTime)

| eval Feld1 = mvzip(Feld1,Status)
| eval Feld1 = mvzip(Feld1,IPAddress)
| eval Feld1 = mvzip(Feld1,Startuptime)
| mvexpand Feld1
| rex field=Feld1 "(?\w*),(?\S*\s*\S*),(?\w*),(?\S*),(?\S*\s*\S*)"

| eval Time=_time
|eval heartbeaepoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| eval TimeDiff=Time - heartbeaepoch
| table _time, UserName,Startuptime , HeartBeatTime,Status,IPAddress,TimeDiff, User_Number, final_User_Number

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

zhonk
Explorer
‎04-17-2020 04:37 AM

Hi,
it works now, with a little trick.

With mvzip I create one field with all Multivalues and after that I expand it. So I get for each UserName one line and can make the Diff calc.
Here is my new Code:

index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| eval HeartBeatTime=if(isnotnull(HeartBeatTime),HeartBeatTime,"1970-01-01 01:00:00.000")

| eval User_Number = mvcount(UserName)
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)
| eval Feld1 = mvzip(UserName,HeartBeatTime)

| eval Feld1 = mvzip(Feld1,Status)
| eval Feld1 = mvzip(Feld1,IPAddress)
| eval Feld1 = mvzip(Feld1,Startuptime)
| mvexpand Feld1
| rex field=Feld1 "(?\w*),(?\S*\s*\S*),(?\w*),(?\S*),(?\S*\s*\S*)"

| eval Time=_time
|eval heartbeaepoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| eval TimeDiff=Time - heartbeaepoch
| table _time, UserName,Startuptime , HeartBeatTime,Status,IPAddress,TimeDiff, User_Number, final_User_Number

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 05:05 AM

@zhonk If your problem is resolved then please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 03:53 AM

What's your Splunk version?
some multivalue function need version 8.

0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎04-17-2020 04:31 AM

Hi @to4kawa our splunk version is 7.3.4.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 04:35 AM

your |eval TimeDiff=_tmie - sp... can't work, because HeartBeatTime is multivalue.
Correcting query is difficult, will you provide logs?

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-17-2020 01:36 AM

hi @zhonk

Updated my Answer Please try like below @zhonk 

|makeresults |eval HeartBeatTime="2020-04-16 12:23:32.9",heartbeatEpoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N"),Time=_time|eval TimeDiff=Time-heartbeatEpoch,diff=tostring(TimeDiff,"Duration")
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎04-17-2020 01:52 AM

Hi @harishalipaka i have change the code but the field TimeDiff is empty.

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-17-2020 04:35 AM

@zhonk

Did you check individually -- query debug

are u getting Heart Beat epoch and _time epoch converting or not..

Thanks
Harish
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...