Hello, looking to create a data table that displays run time values of a batch jobs... Example of this would be defined below.
The DEPI_H element would be the start of the job, the DEPI_T element would be completion of the job. I am looking to create a table in Splunk that outputs the total runtime into a data table. Forgive my ignorance these, new to creating these...
AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T
AA1212|03/13/2014|06:33:03|03/13/2014|06:33:06|1212DEPI|XSFTP_EPI8
AA1212|03/13/2014|06:33:00|03/13/2014|06:33:02|1212DEPI|XSFTP_EPI7
AA1212|03/13/2014|06:32:57|03/13/2014|06:32:59|1212DEPI|XSFTP_EPI6
AA1212|03/13/2014|06:32:53|03/13/2014|06:32:56|1212DEPI|XSFTP_EPI5
AA1212|03/13/2014|06:32:50|03/13/2014|06:32:52|1212DEPI|XSFTP_EPI4
AA1212|03/13/2014|06:32:47|03/13/2014|06:32:49|1212DEPI|XSFTP_EPI3
AA1212|03/13/2014|06:32:44|03/13/2014|06:32:46|1212DEPI|XSFTP_EPI2
AA1212|03/13/2014|06:32:39|03/13/2014|06:32:43|1212DEPI|XSFTP_EPI1
AA1212|03/13/2014|06:32:37|03/13/2014|06:32:38|1212DEPI|XGETEPITZP
AA1212|03/13/2014|06:32:31|03/13/2014|06:32:36|1212DEPI|PZGETEPIT
AA1212|03/13/2014|06:31:28|03/13/2014|06:32:30|1212DEPI|XMONEPIT_
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H
Assuming your have field names like
field1|startDate|startTime|endDate|endTime|field2|field3
If you are interested in whole duration between and including event with DEPI_H to event with DEPI_T
, try this
your base search | eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1
where field1 is the unique id for different batch run.
If you just want the duration of event with DEPI_H and DEPI_T
, try this
your base search (field3="DEPI_H" OR field3="DEPI_T")| eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1
Many thanks, I will give this a try!
Yes, in this case, AA1212 is the identifier...
Finally, since these events are for one batch run, do you have any field which separates different, some kind of Id?
Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H
and
AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T
Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H
and
AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T
Are the fields extracted already? For duration , you want the sum of duration of each event of total duration from DEPI_H to DEPI_T?