Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the difference between time stamps in 2 different events?

MWAKburns
Engager
‎06-15-2017 01:11 PM

Hello!

I am have a bunch of logs stating when a job has started and finished. I have been asked to find a way to tell how long the job took to run. I am having some trouble finding the best way to do this. Here the raw data of the logs:

CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN  
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN  
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START

I have been stumped on how to make this work. I was thinking the goal output would be to combine the 2 matching job events (1 Job START and 1 Job FIN) and have the difference between the time stamps as a new field, but I am not sure if this is even possible.

Any ideas would be helpful!

0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2017 01:45 PM

Like this:

| makeresults 
| eval raw="CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<host>\S+)\s+(?<_time>\S+)\s+(?<time2>\S+)\s+(?<job>\S+)\s+(?<msg>\S+)$"
| eval _time = strptime(_time, "%H:%M:%S.%3N")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| stats range(_time) BY job
0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...