Reporting

Calculate meantime it takes for jobs to complete

DCUpro
Explorer

Hi Everyone,

I'm a bit of a newbie to splunk but I was wondering if anyone would be able to maybe give me some advice.

I send a number of logs to my splunk index which are created by a python script. One of the fields I have defined is "Completion Time" which contains the value of how long it took a certain job to complete. This value could range from hours to days and is shown in the following format: "2 days, 7:57:01"

My plan was to use a dashboard which would tell me the meantime of how long it takes certain jobs to run. However I'm unsure if splunk has a way to interpret the values presented in this way. Can anyone maybe suggest if this is possible or would i be better altering the script to only show the time in hours? I know I probably could calculate this in splunk using the start and finish times of the jobs too but this seems like it would be more resource intensive.

Would love to hear some advice from the experts.

Note: I'd prefer to keep it in the same format as its easier for the user to read when they're looking at the logs for individual jobs.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

This should solve it. 

| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field=Completiontime "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| streamstats avg(meantime) as duration
| fieldformat duration = tostring(round(duration), "duration")
| table Completiontime duration

r. Ismo 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This run-anywhere example show one way to convert Completion Time to meantime.

| makeresults | eval CompletionTime="2 days, 7:57:01"
| rex field=CompletionTime "(?<days>\d+) days, (?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
---
If this reply helps you, Karma would be appreciated.
0 Karma

DCUpro
Explorer

Thanks Rich for the reply,

I'm not sure if this solves my problem though. Lets say I call a search and it returns 3 results. All 3 logs contain a field called 'Completion Time' and the times would be:

1 day, 3:10:49
1 day, 0:55:03
22:43:24

Ideally I'm looking for a way for splunk to interpret the values and return to me the meantime (average time) it took for those jobs to run.

I'm not sure if this is possible or perhaps it would be a lot simpler if I only logged the completion time in hours?

Thanks again for the help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for clarifying the question.  This search will provide the mean of all CompletionTime values.

| makeresults | eval CompletionTime="2 days, 7:57:01"
| rex field=CompletionTime "(?:(?<days>\d+) days?, )?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval CompletionSecs = days * 86400 + hours * 3600 + mins * 60 + secs
| stats avg(CompletionSecs) as meantime
---
If this reply helps you, Karma would be appreciated.

DCUpro
Explorer

Thank you both for your help.

@richgalloway Unfortunately your solution still won't accept fields that only have hours and not days. I need to pass it several times based of several hours to several days.

@isoutamo  response wasn't exactly what I wanted but ultimately got me to the solution I wanted as it takes all time ranges. 

This is exactly what I was looking for just incase it helps anyone else. It takes a list of times and calculates the meantime and presents it in a readable format for a dashboard widget.

| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field="Completiontime" "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| stats avg(meantime) as duration
| eval duration = tostring(round(duration), "duration")
| eval durationFormatted=replace(duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days, \2:\3:\4 hrs")
| table durationFormatted

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

This should solve it. 

| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field=Completiontime "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| streamstats avg(meantime) as duration
| fieldformat duration = tostring(round(duration), "duration")
| table Completiontime duration

r. Ismo 

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...