topic Re: How do I extract 2 timestamps from the same line in Splunk Search

How do I extract 2 timestamps from the same line

bsteph — Fri, 17 Aug 2012 16:16:53 GMT

I want to chart multiple jobs that start and end at different times by time period. How do I extract the start and end time for a job and chart which jobs were running at a specified time. In this example, I have multiple jobs starting in a 1 hour interval, but ending at different times the first timestamp is the jobs start time and the second is the jobs endtime:

12/08/16.00:08:15 12/08/16.00:08:17 job1
12/08/16.00:08:15 12/08/16.00:08:17 job2
12/08/16.00:07:49 12/08/16.00:08:44 job3
12/08/16.00:08:55 12/08/16.00:08:55 job4
12/08/16.00:08:31 12/08/16.00:09:00 job5
12/08/16.00:09:05 12/08/16.00:09:06 job6
12/08/16.00:09:15 12/08/16.00:09:15 job7
12/08/16.00:07:06 12/08/16.00:09:17 job8
12/08/16.00:09:25 12/08/16.00:09:25 job9
12/08/16.00:08:50 12/08/16.00:09:26 job10
12/08/16.00:09:40 12/08/16.00:09:42 job11
12/08/16.00:09:44 12/08/16.00:09:44 job 12

Re: How do I extract 2 timestamps from the same line

rroberts — Fri, 17 Aug 2012 16:33:27 GMT

Check out ... http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/ConfigurePositionalTimestampExtraction

and ... http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Configuretimestamprecognition

Re: How do I extract 2 timestamps from the same line

bsteph — Mon, 28 Sep 2020 12:17:15 GMT

That was great. It lead me to this:
source="startjob.log" |eval stime=strptime(start_timestamp,"%y/%m/%d.%H:%M:%S") |eval etime=strptime(end_timestamp,"%y/%m/%d.%H:%M:%S")| stats min(stime) as begin max(etime) as end by job_name| eval duration = end - begin| eval dur=duration|fieldformat duration=tostring(duration,"duration")| fields - stime etime
| eval begin=strftime(begin,"%m/%d/%Y %H:%M:%S") | eval end=strftime(end,"%m/%d/%Y %H:%M:%S")