Splunk Search

Unable to match field with strptime

dondky
Path Finder

Hello all, I'm trying to calculate the amount of time a job took to run from an event that looks like so:

2016-08-26 11:18:44 HistoryId="1710410", JobSource="861638A0-67C8-4661-B788-E615363436FA", JobId="6989A4FF-BD2B-43D6-8520-69A8A064600E", QueueTime="2016-08-26 15:18:32.147", StartTime="2016-08-26 15:18:32.97", EndTime="2016-08-26 15:18:38.4", AgentId="FD64361C-2F23-4496-9B69-3DDDD0D4DBA0", Result="0", ResultMessage="[Common Structures Warehouse Sync]:  ---> MakeDataChanges() result=NoChangesPending. ---> Result: Succeeded", QueuedReasons="1", QueueFlags="0", Priority="7"

Currently doing the following:

index=application | lookup tfs_jobs jobID as JobId OUTPUT jobName | eval stime=strptime(StartTime,"Y-%m-%d %H:%M:%S.%3N") | eval etime=strptime(EndTime,"Y-%m-%d %H:%M:%S.%3N") | table stime

Just to see if I can match the "StartTime" field.

But appears that stime is not even populated because the table is blank. This event is coming from a MSSQL backend and I'm not 100% i'm matching the millisecond time at the end .97 correctly. I've also seen events come in as such:

2016-08-26 10:48:44 HistoryId="1710403", JobSource="861638A0-67C8-4661-B788-E615363436FA", JobId="6989A4FF-BD2B-43D6-8520-69A8A064600E", QueueTime="2016-08-26 14:48:32.147", StartTime="2016-08-26 14:48:33.403", EndTime="2016-08-26 14:48:35.567", AgentId="FD64361C-2F23-4496-9B69-3DDDD0D4DBA0", Result="0", ResultMessage="[Common Structures Warehouse Sync]:  ---> MakeDataChanges() result=NoChangesPending. ---> Result: Succeeded", QueuedReasons="1", QueueFlags="0", Priority="7"

Which makes me conclude it's in milliseconds and I'm using the %3N.

Any assistance on what I'm doing wrong would be appreciated.

Thanks

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

May just be a simple typo. You strptime format is missing a %. This works

| makeresults | eval StartTime="2016-08-26 15:18:32.97" | eval EndTime="2016-08-26 15:18:38.4" | eval stime=strptime(StartTime,"%Y-%m-%d %H:%M:%S.%3N") | eval etime=strptime(EndTime,"%Y-%m-%d %H:%M:%S.%3N") | table StartTime EndTime stime etime

View solution in original post

sundareshr
Legend

May just be a simple typo. You strptime format is missing a %. This works

| makeresults | eval StartTime="2016-08-26 15:18:32.97" | eval EndTime="2016-08-26 15:18:38.4" | eval stime=strptime(StartTime,"%Y-%m-%d %H:%M:%S.%3N") | eval etime=strptime(EndTime,"%Y-%m-%d %H:%M:%S.%3N") | table StartTime EndTime stime etime

dondky
Path Finder

Thank you! The %Y was the culprit.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...