topic Re: search PID and list according to PID generated and killed time in Deployment Architecture

search PID and list according to PID generated and killed time

vijen2000 — Thu, 24 Sep 2020 13:57:41 GMT

Hello Splunk Community,

I am kind of beginner in Splunk. Need help on a scenario

I have below example logs

2020-08-20 08:52:46, 760 XYZ_Processor/1.1.0 Application Process Completed

2020-08-20 08:51:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:50:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:47:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 23232

2020-08-20 08:40:46, 760 XYZ_Processor/1.1.0 Application Process Completed

2020-08-20 08:39:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:38:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:37:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 42343

I want below results

PID START_TIME END_TIME TIME_TAKEN

42343 2020-08-20 08:37:46 2020-08-20 08:40:46 03:00:00

23232 2020-08-20 08:47:46 2020-08-20 08:52:46 05:00:00

Could anyone help in this? I have to add PID as first field from the logs and print in first column and then start time and end time of the process and then the time taken. Thank you in advance.

Re: search PID and list according to PID generated and killed time

ITWhisperer — Thu, 24 Sep 2020 14:11:08 GMT

Can more than one process run concurrently?

2020-08-20 08:52:46, 760 XYZ_Processor/1.1.0 Application Process Completed

2020-08-20 08:51:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:50:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:47:46, 760 XYZ_Processor/1.1.0 Application Process Completed

2020-08-20 08:40:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 23232

2020-08-20 08:39:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:38:46, 760 XYZ_Processor/1.1.0 Random logs

2020-08-20 08:37:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 42343

If so, how do you identify which Process ID each Application Process Completed is related to?

Re: search PID and list according to PID generated and killed time

vijen2000 — Thu, 24 Sep 2020 14:17:04 GMT

@ITWhisperer

Thanks for response. Only one process run at a time.

Once process completes, we get the message "Application Process Completed" and then new id get created again like this

2020-08-20 08:40:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 23232

Re: search PID and list according to PID generated and killed time

ITWhisperer — Thu, 24 Sep 2020 14:37:56 GMT

index=... ("Application Process Completed" OR "Application Process Id generated" | rex "Application Process Id generated : (?<id>\d+)" | streamstats window=2 earliest(_time) as start earliest(id) as pid | where isnull(id) | eval time_taken=_time-start | table pid start _time time_taken | fieldformat start=strftime(start,"%Y-%m-%d %H:%M:%S") | fieldformat time_taken=strftime(time_taken,"%H:%M:%S")

Re: search PID and list according to PID generated and killed time

vijen2000 — Thu, 24 Sep 2020 15:31:32 GMT

@ITWhispererIt worked 😀

Thanks a lot buddy for swift response. Big thumps up to you 👍