Splunk Search

How do I extract 2 timestamps from the same line

bsteph
Explorer

I want to chart multiple jobs that start and end at different times by time period. How do I extract the start and end time for a job and chart which jobs were running at a specified time. In this example, I have multiple jobs starting in a 1 hour interval, but ending at different times the first timestamp is the jobs start time and the second is the jobs endtime:

12/08/16.00:08:15 12/08/16.00:08:17 job1
12/08/16.00:08:15 12/08/16.00:08:17 job2
12/08/16.00:07:49 12/08/16.00:08:44 job3
12/08/16.00:08:55 12/08/16.00:08:55 job4
12/08/16.00:08:31 12/08/16.00:09:00 job5
12/08/16.00:09:05 12/08/16.00:09:06 job6
12/08/16.00:09:15 12/08/16.00:09:15 job7
12/08/16.00:07:06 12/08/16.00:09:17 job8
12/08/16.00:09:25 12/08/16.00:09:25 job9
12/08/16.00:08:50 12/08/16.00:09:26 job10
12/08/16.00:09:40 12/08/16.00:09:42 job11
12/08/16.00:09:44 12/08/16.00:09:44 job 12

Tags (1)
1 Solution

bsteph
Explorer

That was great. It lead me to this:
source="startjob.log" |eval stime=strptime(start_timestamp,"%y/%m/%d.%H:%M:%S") |eval etime=strptime(end_timestamp,"%y/%m/%d.%H:%M:%S")| stats min(stime) as begin max(etime) as end by job_name| eval duration = end - begin| eval dur=duration|fieldformat duration=tostring(duration,"duration")| fields - stime etime
| eval begin=strftime(begin,"%m/%d/%Y %H:%M:%S") | eval end=strftime(end,"%m/%d/%Y %H:%M:%S")

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...