Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subtraction of multiple values in same cell

shivaa
Explorer
‎06-30-2021 06:03 AM

So I’m pretty new to splunk and I do feel like this should be a lot simpler than I’m making it.

I need two epoch times that are in the same cell to be substracted from each other and I haven’t been able to find anything that can help with it or figure it out myself. I didn't want to use mvexpand because I want the subtraction to be based off of the user

 

My search result looks like this rn:

NameEpoch
UserA

1625037039

1625037045

UserB

1625050381

1625050423

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-30-2021 08:03 AM

@shivaa 

Can you please try this?

YOUR_SEARCH
| eval Epoch=tonumber(mvindex(Epoch,1)) - tonumber(mvindex(Epoch,0))

 

My Sample Search :

| makeresults | eval _raw="Name	Epoch
UserA	1625037039|1625037045
UserB	1625050381|1625050423"
| multikv forceheader=1
| eval Epoch=split(Epoch,"|")
| table Name Epoch
| rename comment as "Upto Now is sample data only" 
| eval Epoch=tonumber(mvindex(Epoch,1)) - tonumber(mvindex(Epoch,0))


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

shivaa
Explorer
‎06-30-2021 07:57 AM

Hey, thank you for your reply. However I get the following error 😞
-> Error in 'eval' command: Type checking failed. '-' only takes numbers.

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-30-2021 08:03 AM

@shivaa 

Can you please try this?

YOUR_SEARCH
| eval Epoch=tonumber(mvindex(Epoch,1)) - tonumber(mvindex(Epoch,0))

 

My Sample Search :

| makeresults | eval _raw="Name	Epoch
UserA	1625037039|1625037045
UserB	1625050381|1625050423"
| multikv forceheader=1
| eval Epoch=split(Epoch,"|")
| table Name Epoch
| rename comment as "Upto Now is sample data only" 
| eval Epoch=tonumber(mvindex(Epoch,1)) - tonumber(mvindex(Epoch,0))


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

shivaa
Explorer
‎06-30-2021 11:14 PM

worked like a charm, thank you so much! 🙂

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-30-2021 06:24 AM 
| eval epoch=mvindex(epoch,1)-mvindex(epoch,0)
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...