Reporting

Calculate meantime it takes for jobs to complete

DCUpro
Explorer

Hi Everyone,

I'm a bit of a newbie to splunk but I was wondering if anyone would be able to maybe give me some advice.

I send a number of logs to my splunk index which are created by a python script. One of the fields I have defined is "Completion Time" which contains the value of how long it took a certain job to complete. This value could range from hours to days and is shown in the following format: "2 days, 7:57:01"

My plan was to use a dashboard which would tell me the meantime of how long it takes certain jobs to run. However I'm unsure if splunk has a way to interpret the values presented in this way. Can anyone maybe suggest if this is possible or would i be better altering the script to only show the time in hours? I know I probably could calculate this in splunk using the start and finish times of the jobs too but this seems like it would be more resource intensive.

Would love to hear some advice from the experts.

Note: I'd prefer to keep it in the same format as its easier for the user to read when they're looking at the logs for individual jobs.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

This should solve it. 

| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field=Completiontime "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| streamstats avg(meantime) as duration
| fieldformat duration = tostring(round(duration), "duration")
| table Completiontime duration

r. Ismo 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This run-anywhere example show one way to convert Completion Time to meantime.

| makeresults | eval CompletionTime="2 days, 7:57:01"
| rex field=CompletionTime "(?<days>\d+) days, (?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
---
If this reply helps you, Karma would be appreciated.
0 Karma

DCUpro
Explorer

Thanks Rich for the reply,

I'm not sure if this solves my problem though. Lets say I call a search and it returns 3 results. All 3 logs contain a field called 'Completion Time' and the times would be:

1 day, 3:10:49
1 day, 0:55:03
22:43:24

Ideally I'm looking for a way for splunk to interpret the values and return to me the meantime (average time) it took for those jobs to run.

I'm not sure if this is possible or perhaps it would be a lot simpler if I only logged the completion time in hours?

Thanks again for the help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for clarifying the question.  This search will provide the mean of all CompletionTime values.

| makeresults | eval CompletionTime="2 days, 7:57:01"
| rex field=CompletionTime "(?:(?<days>\d+) days?, )?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval CompletionSecs = days * 86400 + hours * 3600 + mins * 60 + secs
| stats avg(CompletionSecs) as meantime
---
If this reply helps you, Karma would be appreciated.

DCUpro
Explorer

Thank you both for your help.

@richgalloway Unfortunately your solution still won't accept fields that only have hours and not days. I need to pass it several times based of several hours to several days.

@isoutamo  response wasn't exactly what I wanted but ultimately got me to the solution I wanted as it takes all time ranges. 

This is exactly what I was looking for just incase it helps anyone else. It takes a list of times and calculates the meantime and presents it in a readable format for a dashboard widget.

| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field="Completiontime" "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| stats avg(meantime) as duration
| eval duration = tostring(round(duration), "duration")
| eval durationFormatted=replace(duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days, \2:\3:\4 hrs")
| table durationFormatted

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

This should solve it. 

| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field=Completiontime "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| streamstats avg(meantime) as duration
| fieldformat duration = tostring(round(duration), "duration")
| table Completiontime duration

r. Ismo 

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...