Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Summing values inside mvfield

rvsroe
Explorer
‎06-18-2020 07:44 AM

Hi All,

I am trying to substract values (timestamps) of an mv field, but they are of differing lengths;

## example data:
sysmodtime,idnumber,epoch time
05/03/20 12:40 PM,1,1588502400
05/01/20 12:01 AM,1,1588284060
05/01/20 12:02 AM,1,1588284120
05/01/20 12:02 AM,1,1588284120

05/02/20 12:00 PM,2,1588413600
04/02/20 12:00 AM,2,1585778400
04/02/20 01:00 AM,2,1585782000

04/02/20 02:00 AM,3,1585785600

##desired outcome: = new field time-diff at the end:
sysmodtime,idnumber,epoch time,time_diff
05/03/20 12:40 PM,1,1588502400,218340
05/01/20 12:01 AM,1,1588284060,-60
05/01/20 12:02 AM,1,1588284120,0
05/01/20 12:02 AM,1,1588284120,empty

05/02/20 12:00 PM,2,1588413600,2635200
04/02/20 12:00 AM,2,1585778400,-3600
04/02/20 01:00 AM,2,1585782000,empty

04/02/20 02:00 AM,3,1585785600,empty


-------------------------------
The original data is about 200.000 rows long, so we are looking for a structural solution.

Is there a simple way to loop through the timestamp value inside the mvfield and substract it and place it in a new field
Any suggestions would be very welcome,

Cheers,
Roelof

Labels (1)
Labels
Preview file
55 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-19-2020 12:03 AM

I believe you will have to mvexpand out the fields first to get the mv field into separate rows and then run streamstats. Take this for example

| makeresults
| eval _raw="sysmodtime,idnumber,epoch time
05/03/20 12:40 PM,1,1588502400
05/01/20 12:01 AM,1,1588284060
05/01/20 12:02 AM,1,1588284120
05/01/20 12:02 AM,1,1588284120
05/02/20 12:00 PM,2,1588413600
04/02/20 12:00 AM,2,1585778400
04/02/20 01:00 AM,2,1585782000
04/02/20 02:00 AM,3,1585785600"
| multikv
| stats list(*) as * by idnumber
| eval x="So, up to here is your original data"
| eval base=mvzip(sysmodtime,epoch_time)
| fields - _raw linecount sysmodtime epoch_time
| mvexpand base
| rex field=base "(?<sysmodtime>[^,]*),(?<epoch_time>.*)"
| fields - base
| streamstats window=2 range(epoch_time) as time_diff by idnumber
| stats list(*) as * by idnumber
| eval time_diff=mvindex(time_diff,1,-1)

That gives you what you want, but will be expensive to do the mvexpand and re-aggregations, but you can measure that.

As to calculating values inside MV fields, if you have Splunk 8 I think, then mvmap may be able to get you to where you want, I couldn't get it to work though - I've not used it before.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-19-2020 12:03 AM

I believe you will have to mvexpand out the fields first to get the mv field into separate rows and then run streamstats. Take this for example

| makeresults
| eval _raw="sysmodtime,idnumber,epoch time
05/03/20 12:40 PM,1,1588502400
05/01/20 12:01 AM,1,1588284060
05/01/20 12:02 AM,1,1588284120
05/01/20 12:02 AM,1,1588284120
05/02/20 12:00 PM,2,1588413600
04/02/20 12:00 AM,2,1585778400
04/02/20 01:00 AM,2,1585782000
04/02/20 02:00 AM,3,1585785600"
| multikv
| stats list(*) as * by idnumber
| eval x="So, up to here is your original data"
| eval base=mvzip(sysmodtime,epoch_time)
| fields - _raw linecount sysmodtime epoch_time
| mvexpand base
| rex field=base "(?<sysmodtime>[^,]*),(?<epoch_time>.*)"
| fields - base
| streamstats window=2 range(epoch_time) as time_diff by idnumber
| stats list(*) as * by idnumber
| eval time_diff=mvindex(time_diff,1,-1)

That gives you what you want, but will be expensive to do the mvexpand and re-aggregations, but you can measure that.

As to calculating values inside MV fields, if you have Splunk 8 I think, then mvmap may be able to get you to where you want, I couldn't get it to work though - I've not used it before.

Reply
Solved! Jump to solution

rvsroe
Explorer
‎06-19-2020 04:35 AM

This worked perfectly, thank you very much, I've only added a strftime to convert epoch into hours and minutes:

 | eval time_diff=strftime(mvindex(time_diff,1,-1),"%H:%M:%S") 

forum1.PNG

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 08:46 AM

If I understand your data correctly, you may be able to use streamstats.

... | streamstats window=2 range('epoch timestamp') as time_diff
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rvsroe
Explorer
‎06-19-2020 04:36 AM

Thanks for the reply, streamstats was indeed helpful, I've accepted the other reply as answer though for its completeness

0 Karma
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...