Splunk Search

Best way to format out time field for average time

Path Finder

I am using the linux time command to see how long it takes to run a process.

My logs show as runtime=0m0.000s

So example would be runtime=2m47.012s

What is the best way to parse the output that the command "time provides" to be able to get a time chart of the results?

I tried just doing a timechart, but with no results of the actual time above.
index=metrics process=dailybackup
| timechart span=4h avg(runtime)

0 Karma

Ultra Champion

you are trying to perform a statistical function avg on field that contains strings: 2m47.012s
there are many ways to approach this challenge, here is one using rex and eval to create an integer for seconds:

| makeresults count=1
| eval runtime="2m47.012s,4m4.912s,12m7.020s,0m9.999s,0m0.712s,3m7.012s,14m4.920s,1m17.029s,0m4.880s,0m0.001s"
| makemv delim="," runtime
| mvexpand runtime
| streamstats count as event_count
| eval _time = _time - event_count * 1000
| rename COMMENT as "the above generates data with different time for timechart, below is the solution" 
| rex field=runtime "(?<minutes>\d+)m(?<seconds>\d+).(?<miliseconds>\d+)"
| eval min_to_sec = minutes * 60
| eval mili_to_sec = exact(miliseconds / 1000)
| eval total_runtime_seconds = exact(seconds + min_to_sec + mili_to_sec)
| timechart span=3000s avg(total_runtime_seconds) as avg_run_time

hope it helps

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...