- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Trying to find the 'run time' difference between t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello -
I am trying to find a way to display the daily run time of a job that kicks off daily. I am trying to create a display table that shows the start time of the job, the end time of the job and the amount of time the job took to complete daily.
The start time can be defined by: ZSTRTMAIL
And the end time can be defined by: ZENDMAIL
I've created the search below, but it does not seem to be calcuting the time differnece between when ZSTRTMAIL starts and ZENDMAIL ends. Any help would be greatly appreciated.
<event>
<searchString>sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval Start=strptime(StartDate." ".StartTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".EndTime,"%m/%d/%Y %H:%M:%S") | eval Duration=End-Start | stats sum(Duration) as TotalDurationSecs by ClientName | table ClientName, Start, End, TotalDurationSecs</searchString>
<earliestTime>-7d</earliestTime>
<latestTime>now</latestTime>
</event>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (please validate the field names as the fields in your logs and your query in the question seems to be different)
sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime,"%H:%M:%S")
| transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" Company | eval TotalDurationSecs=EndTime - StartTime | table Company Start End TotalDurationSecs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (please validate the field names as the fields in your logs and your query in the question seems to be different)
sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime,"%H:%M:%S")
| transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" Company | eval TotalDurationSecs=EndTime - StartTime | table Company Start End TotalDurationSecs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly! Thank you somesoni2!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad. Try the updated answer. This should take care of formatting of Start and End.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And this is the output of said query:
Start End TotalDurationSecs
1404719208.000000 1404720208.000000 1000
1404762808.000000 1404763808.000000 1000
1404693808.000000 1404696808.000000 3000
1404645408.000000 1404647408.000000 2000
1404680608.000000 1404681608.000000 1000
1404703008.000000 1404704008.000000 1000
1404705008.000000 1404623608.000000 5000
1404619608.000000 1404620608.000000 1000
1404655008.000000 1404656008.000000 1000
1404668408.000000 1404669408.000000 1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again. This is the query:
sourcetype=PROFILE_DAYEND_STATS ClientName = "*" (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=strptime(StartDate." ".strftime(StartTime,"%H:%M:%S"),"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".strftime(EndTime,"%H:%M:%S"),"%m/%d/%Y %H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" ClietName | eval TotalDurationSecs=EndTime - StartTime | table ClientName Start End TotalDurationSecs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share the query that you're running? The output should be in table format from the query that I suggested.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what it displays in the Events running the command.
PP1800|07/07/2014|1404707403000|07/07/2014|1404707404000|1800DEOD|ZSTRTMAIL
PP1800|07/07/2014|1404717862000|07/07/2014|1404717863000|1800DDDP|ZENDMAIL
PP3500|07/07/2014|1404705805000|07/07/2014|1404705806000|3500DEOD|ZSTRTMAIL
PP3500|07/07/2014|1404706391000|07/07/2014|1404706393000|3500DDDP|ZENDMAIL
PP7700|07/06/2014|1404704440000|07/06/2014|1404704443000|7700DEOD|ZSTRTMAIL
PP7700|07/07/2014|1404713856000|07/07/2014|1404713861000|7700DDDP|ZENDMAIL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! This looks MUCH better! I am seeing inaccurate years populated in the table, any suggestions?
ClientName Start End TotalDurationSecs
01/08/1978 03:46:48 01/08/1978 04:03:28 1000
12/20/1977 15:53:28 12/20/1977 16:10:08 1000
12/04/1977 20:43:28 12/04/1977 21:33:28 3000
11/30/1977 07:16:48 11/30/1977 07:50:08 2000
11/17/1977 17:03:28 11/17/1977 17:20:08 1000
11/11/1977 23:16:48 11/11/1977 23:33:28 1000
11/06/1977 23:50:08 11/07/1977 01:13:28 5000
10/17/1977 00:06:48 10/17/1977 00:23:28 1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure...
Detail Data consists of Company|Start Date|Start Time|End Date|End Time|Session|UPROC
PP1800|07/07/2014|1404707403000|07/07/2014|1404707404000|1800DEOD|ZSTRTMAIL
PP1800|07/07/2014|1404717862000|07/07/2014|1404717863000|1800DDDP|ZENDMAIL
PP3500|07/07/2014|1404705805000|07/07/2014|1404705806000|3500DEOD|ZSTRTMAIL
PP3500|07/07/2014|1404706391000|07/07/2014|1404706393000|3500DDDP|ZENDMAIL
PP7700|07/06/2014|1404704440000|07/06/2014|1404704443000|7700DEOD|ZSTRTMAIL
PP7700|07/07/2014|1404713856000|07/07/2014|1404713861000|7700DDDP|ZENDMAIL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide some sample logs? Its a pretty regulation requirement and sample can help get you closest answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this search. Note: the field "duration" is auto calculated as part of the transaction command.
sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval Start=strptime(StartDate." ".StartTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".EndTime,"%m/%d/%Y %H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAiL" maxspan=8h ClientName | stats sum(duration) as TotalDurationSecs by ClientName | table ClientName, Start, End, TotalDurationSecs
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
