Hi,
it works now, with a little trick.
With mvzip I create one field with all Multivalues and after that I expand it. So I get for each UserName one line and can make the Diff calc.
Here is my new Code:
index=temp host="ctw-prod-qa"
| rex max_match=5 "serviceUserName=\"(?[^\"])"
| rex max_match=5 "serviceStatus=\"(?[^\"])"
| rex max_match=5 "serviceIPAddress=\"(?[^\"])"
| rex max_match=5 "serviceHeartBeatTime=\"(?[^\"])"
| rex max_match=5 "serviceStartupTime=\"(?[^\"])"
| eval HeartBeatTime=if(isnotnull(HeartBeatTime),HeartBeatTime,"1970-01-01 01:00:00.000")
| eval User_Number = mvcount(UserName)
| eval final_User_Number=if(isnotnull(User_Number),User_Number,0)
| eval Feld1 = mvzip(UserName,HeartBeatTime)
| eval Feld1 = mvzip(Feld1,Status)
| eval Feld1 = mvzip(Feld1,IPAddress)
| eval Feld1 = mvzip(Feld1,Startuptime)
| mvexpand Feld1
| rex field=Feld1 "(?\w*),(?\S*\s*\S*),(?\w*),(?\S*),(?\S*\s*\S*)"
| eval Time=_time
|eval heartbeaepoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N")
| eval TimeDiff=Time - heartbeaepoch
| table _time, UserName,Startuptime , HeartBeatTime,Status,IPAddress,TimeDiff, User_Number, final_User_Number
Thanks
... View more