Alerting

How to calculate Job runtime?

MG
Engager

 

I have a field 'JOB_STATUS' with the values as 'STARTING' and 'SUCCESS'.  With this I have to calculate the runtime.

runtime=STARTING-SUCCESS


Can you please let me know how to do this

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Assuming the machine name ties starting and finishing events, then this should help.

index=foo ("STARTING" OR "SUCCESS")
| rex "JOB: (?<JOB>\S+)"
| rex "MACHINE: (?<MACHINE>\S+)"
| stats min(_time) as start, max(_time) as end by JOB MACHINE
| eval RUNTIME=end-start
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

MG
Engager

Only value is JOB_Name

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share some sample STARTING and SUCCESS events.

---
If this reply helps you, Karma would be appreciated.
0 Karma

MG
Engager

7/19/22 12:44:40.000 PM
[07/19/2022 08:44:40] CAXXX_I_40245 EVENT: CHANGE_STATUS STATUS: STARTING JOB: PullMg_CreateHistory_job MACHINE: xxxxxxxxxx sourcetype = event_demon

7/19/22 12:47:42.000 PM
[07/19/2022 08:47:42] CAXXX_I_40245 EVENT: CHANGE_STATUS STATUS: SUCCESS JOB: PullMg_CreateHistory_job MACHINE: xxxxxxxxxx EXITCODE: 0 sourcetype = event_demon

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming the machine name ties starting and finishing events, then this should help.

index=foo ("STARTING" OR "SUCCESS")
| rex "JOB: (?<JOB>\S+)"
| rex "MACHINE: (?<MACHINE>\S+)"
| stats min(_time) as start, max(_time) as end by JOB MACHINE
| eval RUNTIME=end-start
---
If this reply helps you, Karma would be appreciated.
0 Karma

MG
Engager

***The query given is clubbing all the start time and endtime for each job and not giving the actual result**

One of the job is running every 5min a day and these are the events.

index=foo JOB_4185_u (STARTING OR SUCCESS)
|table JOB MACHINE _time STATUS

JOBMACHINE_timeSTATUS
JOB_4185_uMachine120-07-2022 03:31SUCCESS
JOB_4185_uMachine220-07-2022 00:22SUCCESS
JOB_4185_uMachine119-07-2022 23:45STARTING
JOB_4185_uMachine119-07-2022 23:21SUCCESS
JOB_4185_uMachine219-07-2022 20:31SUCCESS
JOB_4185_uMachine119-07-2022 11:46SUCCESS
JOB_4185_uMachine119-07-2022 11:45STARTING
JOB_4185_uMachine219-07-2022 11:00STARTING
JOB_4185_uMachine119-07-2022 08:41SUCCESS
JOB_4185_uMachine220-07-2022 04:07STARTING

 

But in the query , it is summing up all the starttime and end time for a job and giving it as a table with only two statistics eventhough there are 557 events matching.

index=foo JOB_4185_u (STARTING OR SUCCESS)
|stats min(_time) as STARTTIME,max(_time) as ENDTIME by JOB MACHINE
|fieldformat STARTTIME=strftime(STARTTIME,"%F %T")
|fieldformat ENDTIME=strftime(ENDTIME,"%F %T")
|eval RUNTIME=ENDTIME-STARTTIME
|table JOB MACHINE STARTTIME ENDTIME RUNTIME STATUS

Complete 557 events (7/19/22 5:00:00.000 AM to 7/20/22 5:18:44.000 AM)

JOB

MACHINESTARTTIMEENDTIMERUNTIMESTATUS
JOB_4185_uxxxxx19-07-2022 05:2020-07-2022 05:1686197 
JOB_4185_uxxxxxxx19-07-2022 05:0020-07-2022 05:1187103 

 

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your example data has inconsistent numbers and orders of STARTING and SUCCESS - assuming this is just a typo and that for each STARTING there will be a SUCCESS, try this

| sort 0 JOB MACHINE _time
| streamstats range(_time) as duration first(STATUS) as previousSTATUS window=2 global=f by JOB MACHINE
| where STATUS="SUCCESS" AND previousSTATUS="STARTING"
0 Karma

MG
Engager

But how to separate start_time and end_time

 

|table JOB, STARTTIME,ENDTIME,RUNTIME

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| sort 0 JOB MACHINE _time
| streamstats min(_time) as STARTTIME range(_time) as RUNTIME first(STATUS) as previousSTATUS window=2 global=f by JOB MACHINE
| where STATUS="SUCCESS" AND previousSTATUS="STARTING"
| rename _time as ENDTIME
| table JOB STARTTIME ENDTIME RUNTIME
0 Karma

MG
Engager

I think i'm getting the result. But the time format is not in the actual time format.how to convert it

 

start end runtime

165823560016582356055  
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| fieldformat start=strftime(start,"%F %T")
| fieldformat end=strftime(end,"%F %T")
0 Karma

MG
Engager

Thanks..It worked

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Presumably, these are different event?

Are the events link by a common id in another field, which is unique for each job?

0 Karma

MG
Engager

There is no common field like jobid or other related items

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How do you know which SUCCESS status relates to which STARTING status?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...