Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate latencies between jobs?

Aqawelska
Observer
‎05-18-2022 02:38 AM

Hi ,

I need to find the time difference between two events, these events are when a job on our server starts running and when it finishes.

I found this answer to a very similar question https://community.splunk.com/t5/Splunk-Search/Calculate-time-difference-between-two-events/td-p/5786...

but when i try this it does not show me the latency (empty). , I think it has something to do with the search words or the conditions I'm using but I am not sure. Any help is appreciated !


index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied
| where host="AUDIINSA4919" OR host="AUDIINSA4304"
| stats earliest(_time) as Start_time, latest(_time) as Finished_time by host
| eval Latency=tostring(Start_time-Finished_time, "duration")
| table Start_time , Finished_time , Latency , host
| fieldformat Finished_time=strftime(Finished_time,"%c")
| fieldformat Start_time=strftime(Start_time,"%c")


The output is with latency empty:

             Start_time                                       Finished_time                       Latency        host

1 Wed May 18 03:30:08 2022 Wed May 18 03:42:47 2022   AUDIINSA4304



Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-18-2022 02:44 AM

Hi @Aqawelska,

you should calculate Finish_time-Start_time not the contrary:

index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied
| where host="AUDIINSA4919" OR host="AUDIINSA4304"
| stats 
     earliest(_time) AS Start_time 
     latest(_time) AS Finished_time 
     by host
| eval Latency=tostring(Finished_time-Start_time, "duration")
| table Start_time , Finished_time , Latency , host
| fieldformat Finished_time=strftime(Finished_time,"%c")
| fieldformat Start_time=strftime(Start_time,"%c")

 Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...