How to find the difference between time stamps in 2 different events?

MWAKburns — Thu, 15 Jun 2017 20:11:10 GMT

Hello!

I am have a bunch of logs stating when a job has started and finished. I have been asked to find a way to tell how long the job took to run. I am having some trouble finding the best way to do this. Here the raw data of the logs:

CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN  
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN  
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START

I have been stumped on how to make this work. I was thinking the goal output would be to combine the 2 matching job events (1 Job START and 1 Job FIN) and have the difference between the time stamps as a new field, but I am not sure if this is even possible.

Any ideas would be helpful!

Re: How to find the difference between time stamps in 2 different events?

woodcock — Thu, 15 Jun 2017 20:45:56 GMT

Like this:

| makeresults 
| eval raw="CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<host>\S+)\s+(?<_time>\S+)\s+(?<time2>\S+)\s+(?<job>\S+)\s+(?<msg>\S+)$"
| eval _time = strptime(_time, "%H:%M:%S.%3N")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| stats range(_time) BY job

topic How to find the difference between time stamps in 2 different events? in Splunk Search

How to find the difference between time stamps in 2 different events?

Re: How to find the difference between time stamps in 2 different events?