Splunk Search

How do I extract 2 timestamps from the same line

bsteph
Explorer

I want to chart multiple jobs that start and end at different times by time period. How do I extract the start and end time for a job and chart which jobs were running at a specified time. In this example, I have multiple jobs starting in a 1 hour interval, but ending at different times the first timestamp is the jobs start time and the second is the jobs endtime:

12/08/16.00:08:15 12/08/16.00:08:17 job1
12/08/16.00:08:15 12/08/16.00:08:17 job2
12/08/16.00:07:49 12/08/16.00:08:44 job3
12/08/16.00:08:55 12/08/16.00:08:55 job4
12/08/16.00:08:31 12/08/16.00:09:00 job5
12/08/16.00:09:05 12/08/16.00:09:06 job6
12/08/16.00:09:15 12/08/16.00:09:15 job7
12/08/16.00:07:06 12/08/16.00:09:17 job8
12/08/16.00:09:25 12/08/16.00:09:25 job9
12/08/16.00:08:50 12/08/16.00:09:26 job10
12/08/16.00:09:40 12/08/16.00:09:42 job11
12/08/16.00:09:44 12/08/16.00:09:44 job 12

Tags (1)
1 Solution

bsteph
Explorer

That was great. It lead me to this:
source="startjob.log" |eval stime=strptime(start_timestamp,"%y/%m/%d.%H:%M:%S") |eval etime=strptime(end_timestamp,"%y/%m/%d.%H:%M:%S")| stats min(stime) as begin max(etime) as end by job_name| eval duration = end - begin| eval dur=duration|fieldformat duration=tostring(duration,"duration")| fields - stime etime
| eval begin=strftime(begin,"%m/%d/%Y %H:%M:%S") | eval end=strftime(end,"%m/%d/%Y %H:%M:%S")

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...