Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate Job runtime?

MG
Engager
‎07-19-2022 04:46 AM

 

I have a field 'JOB_STATUS' with the values as 'STARTING' and 'SUCCESS'.  With this I have to calculate the runtime.

runtime=STARTING-SUCCESS


Can you please let me know how to do this

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 06:41 AM

Assuming the machine name ties starting and finishing events, then this should help.

index=foo ("STARTING" OR "SUCCESS")
| rex "JOB: (?<JOB>\S+)"
| rex "MACHINE: (?<MACHINE>\S+)"
| stats min(_time) as start, max(_time) as end by JOB MACHINE
| eval RUNTIME=end-start
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-19-2022 06:33 AM

Only value is JOB_Name

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 05:07 AM

Please share some sample STARTING and SUCCESS events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-19-2022 05:49 AM

7/19/22 12:44:40.000 PM
[07/19/2022 08:44:40] CAXXX_I_40245 EVENT: CHANGE_STATUS STATUS: STARTING JOB: PullMg_CreateHistory_job MACHINE: xxxxxxxxxx sourcetype = event_demon

7/19/22 12:47:42.000 PM
[07/19/2022 08:47:42] CAXXX_I_40245 EVENT: CHANGE_STATUS STATUS: SUCCESS JOB: PullMg_CreateHistory_job MACHINE: xxxxxxxxxx EXITCODE: 0 sourcetype = event_demon

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 06:41 AM

Assuming the machine name ties starting and finishing events, then this should help.

index=foo ("STARTING" OR "SUCCESS")
| rex "JOB: (?<JOB>\S+)"
| rex "MACHINE: (?<MACHINE>\S+)"
| stats min(_time) as start, max(_time) as end by JOB MACHINE
| eval RUNTIME=end-start
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-19-2022 11:06 PM

***The query given is clubbing all the start time and endtime for each job and not giving the actual result**

One of the job is running every 5min a day and these are the events.

index=foo JOB_4185_u (STARTING OR SUCCESS)
|table JOB MACHINE _time STATUS

JOBMACHINE_timeSTATUS
JOB_4185_uMachine120-07-2022 03:31SUCCESS
JOB_4185_uMachine220-07-2022 00:22SUCCESS
JOB_4185_uMachine119-07-2022 23:45STARTING
JOB_4185_uMachine119-07-2022 23:21SUCCESS
JOB_4185_uMachine219-07-2022 20:31SUCCESS
JOB_4185_uMachine119-07-2022 11:46SUCCESS
JOB_4185_uMachine119-07-2022 11:45STARTING
JOB_4185_uMachine219-07-2022 11:00STARTING
JOB_4185_uMachine119-07-2022 08:41SUCCESS
JOB_4185_uMachine220-07-2022 04:07STARTING

 

But in the query , it is summing up all the starttime and end time for a job and giving it as a table with only two statistics eventhough there are 557 events matching.

index=foo JOB_4185_u (STARTING OR SUCCESS)
|stats min(_time) as STARTTIME,max(_time) as ENDTIME by JOB MACHINE
|fieldformat STARTTIME=strftime(STARTTIME,"%F %T")
|fieldformat ENDTIME=strftime(ENDTIME,"%F %T")
|eval RUNTIME=ENDTIME-STARTTIME
|table JOB MACHINE STARTTIME ENDTIME RUNTIME STATUS

Complete 557 events (7/19/22 5:00:00.000 AM to 7/20/22 5:18:44.000 AM)

JOB

MACHINESTARTTIMEENDTIMERUNTIMESTATUS
JOB_4185_uxxxxx19-07-2022 05:2020-07-2022 05:1686197 
JOB_4185_uxxxxxxx19-07-2022 05:0020-07-2022 05:1187103 

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 11:34 PM

Your example data has inconsistent numbers and orders of STARTING and SUCCESS - assuming this is just a typo and that for each STARTING there will be a SUCCESS, try this

| sort 0 JOB MACHINE _time
| streamstats range(_time) as duration first(STATUS) as previousSTATUS window=2 global=f by JOB MACHINE
| where STATUS="SUCCESS" AND previousSTATUS="STARTING"
0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-20-2022 12:14 AM

But how to separate start_time and end_time

 

|table JOB, STARTTIME,ENDTIME,RUNTIME

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2022 12:20 AM 
| sort 0 JOB MACHINE _time
| streamstats min(_time) as STARTTIME range(_time) as RUNTIME first(STATUS) as previousSTATUS window=2 global=f by JOB MACHINE
| where STATUS="SUCCESS" AND previousSTATUS="STARTING"
| rename _time as ENDTIME
| table JOB STARTTIME ENDTIME RUNTIME
0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-19-2022 06:55 AM

I think i'm getting the result. But the time format is not in the actual time format.how to convert it

 

start end runtime

165823560016582356055  
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 06:57 AM 
| fieldformat start=strftime(start,"%F %T")
| fieldformat end=strftime(end,"%F %T")
0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-19-2022 07:04 AM

Thanks..It worked

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 04:59 AM

Presumably, these are different event?

Are the events link by a common id in another field, which is unique for each job?

0 Karma
Reply
Solved! Jump to solution

MG
Engager
‎07-19-2022 05:50 AM

There is no common field like jobid or other related items

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 06:00 AM

How do you know which SUCCESS status relates to which STARTING status?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...