Hello!
I am have a bunch of logs stating when a job has started and finished. I have been asked to find a way to tell how long the job took to run. I am having some trouble finding the best way to do this. Here the raw data of the logs:
CONS02^NO> 18:01:09.489 18:01:10 EDTMFD FIN
CONS02^NO> 18:01:09.089 18:01:10 FMMFD FIN
CONS02^NO> 18:01:09.089 18:01:10 EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04 FTPFIL FIN
CONS02^NO> 18:00:03.758 18:00:03 FTPST FIN
CONS02^NO> 18:00:03.758 18:00:03 FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03 FTPST START
CONS02^NO> 18:00:03.363 18:00:03 FMMFD START
CONS02^NO> 17:55:03.753 17:55:03 FTPFIL FIN
CONS02^NO> 17:55:03.186 17:55:03 FTPSTA FIN
CONS02^NO> 17:55:03.186 17:55:03 FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02 FTPSTA START
I have been stumped on how to make this work. I was thinking the goal output would be to combine the 2 matching job events (1 Job START and 1 Job FIN) and have the difference between the time stamps as a new field, but I am not sure if this is even possible.
Any ideas would be helpful!
Like this:
| makeresults
| eval raw="CONS02^NO> 18:01:09.489 18:01:10 EDTMFD FIN
CONS02^NO> 18:01:09.089 18:01:10 FMMFD FIN
CONS02^NO> 18:01:09.089 18:01:10 EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04 FTPFIL FIN
CONS02^NO> 18:00:03.758 18:00:03 FTPST FIN
CONS02^NO> 18:00:03.758 18:00:03 FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03 FTPST START
CONS02^NO> 18:00:03.363 18:00:03 FMMFD START
CONS02^NO> 17:55:03.753 17:55:03 FTPFIL FIN
CONS02^NO> 17:55:03.186 17:55:03 FTPSTA FIN
CONS02^NO> 17:55:03.186 17:55:03 FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02 FTPSTA START"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<host>\S+)\s+(?<_time>\S+)\s+(?<time2>\S+)\s+(?<job>\S+)\s+(?<msg>\S+)$"
| eval _time = strptime(_time, "%H:%M:%S.%3N")
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| stats range(_time) BY job