Splunk Enterprise

How to fetch time in splunk logs for events with particular context

ksuyash
Explorer
6/29/22
4:58:14.526 PM
 
2022-06-29 17:58:14.526 [Task1] INFO Task1 - Published Task1 received  id 101

 

6/29/22
4:59:14.526 PM
 
2022-06-29 17:58:14.526 [Task1] INFO Task1 - Published Task1 done  id 101


I'm trying  to fetch time for both the events (when it is received and when the task is done)  and calculate the difference between them in form of table 

I tried 
index=source "Published Task 1"
| rex "id" (?<ID>\d+) 
| table  ID start_time End_time difference _time

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

What's lacking in that query are the fields other than "ID".  You can, however, use stats and eval to get them.

index=source "Published Task 1"
| rex "id" (?<ID>\d+) 
| stats min(_time) as start_time, max(_time) as End_time by ID
| eval difference_time = End_time - start_time
| table  ID start_time End_time difference_time

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What's lacking in that query are the fields other than "ID".  You can, however, use stats and eval to get them.

index=source "Published Task 1"
| rex "id" (?<ID>\d+) 
| stats min(_time) as start_time, max(_time) as End_time by ID
| eval difference_time = End_time - start_time
| table  ID start_time End_time difference_time

 

---
If this reply helps you, Karma would be appreciated.

ksuyash
Explorer

It was really helpful 
Thank you so much 
I'm getting time in Unix format 
1656483082.160
Any easy way to convert it

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...