Hi Everyone,
I'm a bit of a newbie to splunk but I was wondering if anyone would be able to maybe give me some advice.
I send a number of logs to my splunk index which are created by a python script. One of the fields I have defined is "Completion Time" which contains the value of how long it took a certain job to complete. This value could range from hours to days and is shown in the following format: "2 days, 7:57:01"
My plan was to use a dashboard which would tell me the meantime of how long it takes certain jobs to run. However I'm unsure if splunk has a way to interpret the values presented in this way. Can anyone maybe suggest if this is possible or would i be better altering the script to only show the time in hours? I know I probably could calculate this in splunk using the start and finish times of the jobs too but this seems like it would be more resource intensive.
Would love to hear some advice from the experts.
Note: I'd prefer to keep it in the same format as its easier for the user to read when they're looking at the logs for individual jobs.
Hi
This should solve it.
| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field=Completiontime "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| streamstats avg(meantime) as duration
| fieldformat duration = tostring(round(duration), "duration")
| table Completiontime duration
r. Ismo
This run-anywhere example show one way to convert Completion Time to meantime.
| makeresults | eval CompletionTime="2 days, 7:57:01"
| rex field=CompletionTime "(?<days>\d+) days, (?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
Thanks Rich for the reply,
I'm not sure if this solves my problem though. Lets say I call a search and it returns 3 results. All 3 logs contain a field called 'Completion Time' and the times would be:
1 day, 3:10:49
1 day, 0:55:03
22:43:24
Ideally I'm looking for a way for splunk to interpret the values and return to me the meantime (average time) it took for those jobs to run.
I'm not sure if this is possible or perhaps it would be a lot simpler if I only logged the completion time in hours?
Thanks again for the help.
Thanks for clarifying the question. This search will provide the mean of all CompletionTime values.
| makeresults | eval CompletionTime="2 days, 7:57:01"
| rex field=CompletionTime "(?:(?<days>\d+) days?, )?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval CompletionSecs = days * 86400 + hours * 3600 + mins * 60 + secs
| stats avg(CompletionSecs) as meantime
Thank you both for your help.
@richgalloway Unfortunately your solution still won't accept fields that only have hours and not days. I need to pass it several times based of several hours to several days.
@isoutamo response wasn't exactly what I wanted but ultimately got me to the solution I wanted as it takes all time ranges.
This is exactly what I was looking for just incase it helps anyone else. It takes a list of times and calculates the meantime and presents it in a readable format for a dashboard widget.
| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field="Completiontime" "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| stats avg(meantime) as duration
| eval duration = tostring(round(duration), "duration")
| eval durationFormatted=replace(duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days, \2:\3:\4 hrs")
| table durationFormatted
Hi
This should solve it.
| makeresults
| eval _raw="Completiontime
1 day, 3:10:49
1 day, 0:55:03
22:43:24
2 days, 7:57:01"
| multikv forceheader=1
| rename COMMENT as "Previous lines generates sample data"
| rex field=Completiontime "((?<days>\d+) days?,\s*)?(?<hours>\d+):(?<mins>\d+):(?<secs>\d+)"
| eval days = coalesce(days, 0), hours = coalesce(hours, 0), mins = coalesce(mins, 0), secs = coalesce(secs, 0)
| eval meantime = days * 86400 + hours * 3600 + mins * 60 + secs
| streamstats avg(meantime) as duration
| fieldformat duration = tostring(round(duration), "duration")
| table Completiontime duration
r. Ismo