Looking to create a chart that displays run time v...

fisuser1 · ‎03-13-2014

Hello, looking to create a data table that displays run time values of a batch jobs... Example of this would be defined below.

The DEPI_H element would be the start of the job, the DEPI_T element would be completion of the job. I am looking to create a table in Splunk that outputs the total runtime into a data table. Forgive my ignorance these, new to creating these...

AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T
AA1212|03/13/2014|06:33:03|03/13/2014|06:33:06|1212DEPI|XSFTP_EPI8
AA1212|03/13/2014|06:33:00|03/13/2014|06:33:02|1212DEPI|XSFTP_EPI7
AA1212|03/13/2014|06:32:57|03/13/2014|06:32:59|1212DEPI|XSFTP_EPI6
AA1212|03/13/2014|06:32:53|03/13/2014|06:32:56|1212DEPI|XSFTP_EPI5
AA1212|03/13/2014|06:32:50|03/13/2014|06:32:52|1212DEPI|XSFTP_EPI4
AA1212|03/13/2014|06:32:47|03/13/2014|06:32:49|1212DEPI|XSFTP_EPI3
AA1212|03/13/2014|06:32:44|03/13/2014|06:32:46|1212DEPI|XSFTP_EPI2
AA1212|03/13/2014|06:32:39|03/13/2014|06:32:43|1212DEPI|XSFTP_EPI1
AA1212|03/13/2014|06:32:37|03/13/2014|06:32:38|1212DEPI|XGETEPITZP
AA1212|03/13/2014|06:32:31|03/13/2014|06:32:36|1212DEPI|PZGETEPIT
AA1212|03/13/2014|06:31:28|03/13/2014|06:32:30|1212DEPI|XMONEPIT_
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H

somesoni2 · ‎03-13-2014

Assuming your have field names like

field1|startDate|startTime|endDate|endTime|field2|field3

If you are interested in whole duration between and including event with DEPI_H to event with DEPI_T, try this

your base search | eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1

where field1 is the unique id for different batch run.

If you just want the duration of event with DEPI_H and DEPI_T, try this

your base search (field3="DEPI_H" OR field3="DEPI_T")| eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1

fisuser1 · ‎03-13-2014

Many thanks, I will give this a try!

fisuser1 · ‎03-13-2014

Yes, in this case, AA1212 is the identifier...

somesoni2 · ‎03-13-2014

Finally, since these events are for one batch run, do you have any field which separates different, some kind of Id?

fisuser1 · ‎03-13-2014

Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H
and
AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T

fisuser1 · ‎03-13-2014

Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.

AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H

and

AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T

somesoni2 · ‎03-13-2014

Are the fields extracted already? For duration , you want the sum of duration of each event of total duration from DEPI_H to DEPI_T?

Looking to create a chart that displays run time values

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life