Solved: Extract value from multiple events and find time d...

vanakkam · ‎08-15-2019

Sample log data
{‘job_id,:’1’, ‘stage_state’:’build_begin’,’stage_type:’build’,’start_time’:’2019-08-15 15:00:00’}
{‘job_id,:’1’, ‘stage_state’:’build_end’,’stage_type:’build’,’endtime’:’2019-08-15 15:10:00’}
{‘job_id,:’1’, ‘stage_state’:’exc_begin’,’stage_type:’exec’,’start_time’:’2019-08-15 15:10:01’}
stage_state’:’exc_end’,’stage_type:’exec’,’end_time’:’2019-08-15 15:20:00’}

I am trying get a table like this output
Job_id stage time taken

1 Build. 10
1 Exc. 10
1 Total. 20

I am new to Splunk I tried a few things but. I cannot get nothing close to expected answer

Thanks

nareshinsvu · ‎08-15-2019

Try this: Watchout for your single quotes in the code. I have blindly used your raw data. Tweak the code as per your needs. Accept and/or upvote my reply if it helps. Good luck.

|makeresults 
| eval _raw=" {‘job_id,:’1’, ‘stage_state’:’build_begin’,’stage_type:’build’,’start_time’:’2019-08-15 15:00:00’} "
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’build_end’,’stage_type:’build’,’end_time’:’2019-08-15 15:10:00’} "]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_begin’,’stage_type:’exec’,’start_time’:’2019-08-15 15:10:01’}"]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_end’,’stage_type:’exec’,’end_time’:’2019-08-15 15:20:00’} " ]
 `comment("Don't worry about anything above this line. It's just used for generating your raw data")`

| rex field=_raw "\’stage_type\:\’(?<Type>.*?)\s*\’\," 
|rex field=_raw "\’start_time\’\:\’(?<Start_Time>.*?)\s*\’" 
|rex field=_raw "\’end_time\’\:\’(?<End_Time>.*?)\s*\’" 
|rex field=_raw "\‘job_id\,\:\’(?<job_id>\d+)\’\," 
| transaction job_id startswith="end_time" endswith="start_time" 
| eval Diff_in_secs=strptime(End_Time, "%Y-%m-%d %H:%M:%S.%3N")-strptime(Start_Time, "%Y-%m-%d %H:%M:%S.%3N")
| eventstats sum(Diff_in_secs) as TotalDiff_in_secs
|table Start_Time End_Time Type Diff_in_secs TotalDiff_in_secs

View solution in original post

nareshinsvu · ‎08-15-2019

Try this: Watchout for your single quotes in the code. I have blindly used your raw data. Tweak the code as per your needs. Accept and/or upvote my reply if it helps. Good luck.

|makeresults 
| eval _raw=" {‘job_id,:’1’, ‘stage_state’:’build_begin’,’stage_type:’build’,’start_time’:’2019-08-15 15:00:00’} "
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’build_end’,’stage_type:’build’,’end_time’:’2019-08-15 15:10:00’} "]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_begin’,’stage_type:’exec’,’start_time’:’2019-08-15 15:10:01’}"]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_end’,’stage_type:’exec’,’end_time’:’2019-08-15 15:20:00’} " ]
 `comment("Don't worry about anything above this line. It's just used for generating your raw data")`

| rex field=_raw "\’stage_type\:\’(?<Type>.*?)\s*\’\," 
|rex field=_raw "\’start_time\’\:\’(?<Start_Time>.*?)\s*\’" 
|rex field=_raw "\’end_time\’\:\’(?<End_Time>.*?)\s*\’" 
|rex field=_raw "\‘job_id\,\:\’(?<job_id>\d+)\’\," 
| transaction job_id startswith="end_time" endswith="start_time" 
| eval Diff_in_secs=strptime(End_Time, "%Y-%m-%d %H:%M:%S.%3N")-strptime(Start_Time, "%Y-%m-%d %H:%M:%S.%3N")
| eventstats sum(Diff_in_secs) as TotalDiff_in_secs
|table Start_Time End_Time Type Diff_in_secs TotalDiff_in_secs

Extract value from multiple events and find time delta

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!