Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the difference between time stamps in 2 different events?

MWAKburns
Engager
‎06-15-2017 01:11 PM

Hello!

I am have a bunch of logs stating when a job has started and finished. I have been asked to find a way to tell how long the job took to run. I am having some trouble finding the best way to do this. Here the raw data of the logs:

CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN  
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN  
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START

I have been stumped on how to make this work. I was thinking the goal output would be to combine the 2 matching job events (1 Job START and 1 Job FIN) and have the difference between the time stamps as a new field, but I am not sure if this is even possible.

Any ideas would be helpful!

0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2017 01:45 PM

Like this:

| makeresults 
| eval raw="CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<host>\S+)\s+(?<_time>\S+)\s+(?<time2>\S+)\s+(?<job>\S+)\s+(?<msg>\S+)$"
| eval _time = strptime(_time, "%H:%M:%S.%3N")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| stats range(_time) BY job
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...