Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to display _time format ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snehasal
Explorer
07-17-2017
02:45 PM
Hi,
I have written a query to find average of the runtime for each job on daily basis. My query works fine and I get results as expected. However, the _time in the search events doesn't show the exact time of event.
e.g _time is step_dtm_pst = 2017-06-05 23:49:24
However, after I run the query _times shows: 05/06/2017 00:00:00.000
The reason for this is using bin _time span=1d in query.
source="Temp10.csv" sourcetype="csv"
| where step_info ="WORKFLOW START" OR step_info = "WORKFLOW END"
| eval WfStart=If(step_info="WORKFLOW START",_time,null())
| eval WfEnd=If(step_info="WORKFLOW END",_time,null())
| sort 0 workflow_run_id
| streamstats latest(WfStart) as WfStart, earliest(WfEnd) as WfEnd by workflow_run_id
| eval WfDuration=round(((WfEnd-WfStart)/60),2)
| bin _time span=1d
| timechart eval(round(avg(WfDuration),2)) as avgWFDuration by workflow_name limit=0 useother=false
I am not sure how to resolve this. Please help.
Thanks,
Sneha
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-17-2017
03:13 PM
try this
source="Temp10.csv" sourcetype="csv"
| where step_info ="WORKFLOW START" OR step_info = "WORKFLOW END"
| eval WfStart=If(step_info="WORKFLOW START",_time,null())
| eval WfEnd=If(step_info="WORKFLOW END",_time,null())
| sort 0 workflow_run_id
| streamstats latest(WfStart) as WfStart, earliest(WfEnd) as WfEnd by workflow_run_id
| eval WfDuration=round(((WfEnd-WfStart)/60),2)
| timechart span=1d eval(round(avg(WfDuration),2)) as avgWFDuration by workflow_name limit=0 useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-17-2017
03:13 PM
try this
source="Temp10.csv" sourcetype="csv"
| where step_info ="WORKFLOW START" OR step_info = "WORKFLOW END"
| eval WfStart=If(step_info="WORKFLOW START",_time,null())
| eval WfEnd=If(step_info="WORKFLOW END",_time,null())
| sort 0 workflow_run_id
| streamstats latest(WfStart) as WfStart, earliest(WfEnd) as WfEnd by workflow_run_id
| eval WfDuration=round(((WfEnd-WfStart)/60),2)
| timechart span=1d eval(round(avg(WfDuration),2)) as avgWFDuration by workflow_name limit=0 useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snehasal
Explorer
07-18-2017
09:49 AM
This works.
Thank you:)
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What’s New & Next in Splunk SOAR
Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us for an ...
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Ready to master Kubernetes and cloud monitoring like the pros?
Join Splunk’s Growth Engineering team for an ...
