Solved: Extract value from multiple events and find time d...

vanakkam · ‎08-15-2019

Sample log data
{‘job_id,:’1’, ‘stage_state’:’build_begin’,’stage_type:’build’,’start_time’:’2019-08-15 15:00:00’}
{‘job_id,:’1’, ‘stage_state’:’build_end’,’stage_type:’build’,’endtime’:’2019-08-15 15:10:00’}
{‘job_id,:’1’, ‘stage_state’:’exc_begin’,’stage_type:’exec’,’start_time’:’2019-08-15 15:10:01’}
stage_state’:’exc_end’,’stage_type:’exec’,’end_time’:’2019-08-15 15:20:00’}

I am trying get a table like this output
Job_id stage time taken

1 Build. 10
1 Exc. 10
1 Total. 20

I am new to Splunk I tried a few things but. I cannot get nothing close to expected answer

Thanks

nareshinsvu · ‎08-15-2019

Try this: Watchout for your single quotes in the code. I have blindly used your raw data. Tweak the code as per your needs. Accept and/or upvote my reply if it helps. Good luck.

|makeresults 
| eval _raw=" {‘job_id,:’1’, ‘stage_state’:’build_begin’,’stage_type:’build’,’start_time’:’2019-08-15 15:00:00’} "
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’build_end’,’stage_type:’build’,’end_time’:’2019-08-15 15:10:00’} "]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_begin’,’stage_type:’exec’,’start_time’:’2019-08-15 15:10:01’}"]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_end’,’stage_type:’exec’,’end_time’:’2019-08-15 15:20:00’} " ]
 `comment("Don't worry about anything above this line. It's just used for generating your raw data")`

| rex field=_raw "\’stage_type\:\’(?<Type>.*?)\s*\’\," 
|rex field=_raw "\’start_time\’\:\’(?<Start_Time>.*?)\s*\’" 
|rex field=_raw "\’end_time\’\:\’(?<End_Time>.*?)\s*\’" 
|rex field=_raw "\‘job_id\,\:\’(?<job_id>\d+)\’\," 
| transaction job_id startswith="end_time" endswith="start_time" 
| eval Diff_in_secs=strptime(End_Time, "%Y-%m-%d %H:%M:%S.%3N")-strptime(Start_Time, "%Y-%m-%d %H:%M:%S.%3N")
| eventstats sum(Diff_in_secs) as TotalDiff_in_secs
|table Start_Time End_Time Type Diff_in_secs TotalDiff_in_secs

View solution in original post

nareshinsvu · ‎08-15-2019

Try this: Watchout for your single quotes in the code. I have blindly used your raw data. Tweak the code as per your needs. Accept and/or upvote my reply if it helps. Good luck.

|makeresults 
| eval _raw=" {‘job_id,:’1’, ‘stage_state’:’build_begin’,’stage_type:’build’,’start_time’:’2019-08-15 15:00:00’} "
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’build_end’,’stage_type:’build’,’end_time’:’2019-08-15 15:10:00’} "]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_begin’,’stage_type:’exec’,’start_time’:’2019-08-15 15:10:01’}"]
|append[
|makeresults 
| eval _raw="
{‘job_id,:’1’, ‘stage_state’:’exc_end’,’stage_type:’exec’,’end_time’:’2019-08-15 15:20:00’} " ]
 `comment("Don't worry about anything above this line. It's just used for generating your raw data")`

| rex field=_raw "\’stage_type\:\’(?<Type>.*?)\s*\’\," 
|rex field=_raw "\’start_time\’\:\’(?<Start_Time>.*?)\s*\’" 
|rex field=_raw "\’end_time\’\:\’(?<End_Time>.*?)\s*\’" 
|rex field=_raw "\‘job_id\,\:\’(?<job_id>\d+)\’\," 
| transaction job_id startswith="end_time" endswith="start_time" 
| eval Diff_in_secs=strptime(End_Time, "%Y-%m-%d %H:%M:%S.%3N")-strptime(Start_Time, "%Y-%m-%d %H:%M:%S.%3N")
| eventstats sum(Diff_in_secs) as TotalDiff_in_secs
|table Start_Time End_Time Type Diff_in_secs TotalDiff_in_secs

Extract value from multiple events and find time delta

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation