Hello Splunk Community,
I am kind of beginner in Splunk. Need help on a scenario
I have below example logs
2020-08-20 08:52:46, 760 XYZ_Processor/1.1.0 Application Process Completed
2020-08-20 08:51:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:50:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:47:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 23232
2020-08-20 08:40:46, 760 XYZ_Processor/1.1.0 Application Process Completed
2020-08-20 08:39:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:38:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:37:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 42343
I want below results
PID START_TIME END_TIME TIME_TAKEN
42343 2020-08-20 08:37:46 2020-08-20 08:40:46 03:00:00
23232 2020-08-20 08:47:46 2020-08-20 08:52:46 05:00:00
Could anyone help in this? I have to add PID as first field from the logs and print in first column and then start time and end time of the process and then the time taken. Thank you in advance.
index=... ("Application Process Completed" OR "Application Process Id generated"
| rex "Application Process Id generated : (?<id>\d+)"
| streamstats window=2 earliest(_time) as start earliest(id) as pid
| where isnull(id)
| eval time_taken=_time-start
| table pid start _time time_taken
| fieldformat start=strftime(start,"%Y-%m-%d %H:%M:%S")
| fieldformat time_taken=strftime(time_taken,"%H:%M:%S")
@ITWhispererIt worked 😀
Thanks a lot buddy for swift response. Big thumps up to you 👍
Can more than one process run concurrently?
2020-08-20 08:52:46, 760 XYZ_Processor/1.1.0 Application Process Completed
2020-08-20 08:51:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:50:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:47:46, 760 XYZ_Processor/1.1.0 Application Process Completed
2020-08-20 08:40:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 23232
2020-08-20 08:39:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:38:46, 760 XYZ_Processor/1.1.0 Random logs
2020-08-20 08:37:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 42343
If so, how do you identify which Process ID each Application Process Completed is related to?
@ITWhisperer
Thanks for response. Only one process run at a time.
Once process completes, we get the message "Application Process Completed" and then new id get created again like this
2020-08-20 08:40:46, 760 XYZ_Processor/1.1.0 Application Process Id generated : 23232
index=... ("Application Process Completed" OR "Application Process Id generated"
| rex "Application Process Id generated : (?<id>\d+)"
| streamstats window=2 earliest(_time) as start earliest(id) as pid
| where isnull(id)
| eval time_taken=_time-start
| table pid start _time time_taken
| fieldformat start=strftime(start,"%Y-%m-%d %H:%M:%S")
| fieldformat time_taken=strftime(time_taken,"%H:%M:%S")