Splunk Search
Highlighted

How to edit my search using a start time and an end time to list the duration in my results?

Path Finder

The below query gave me Start time, end time grouped by Job name. I want to also list the duration by subtracting end time and start time.

index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "gc01*" "started - time=" OR ("ended - time=" OR "ENDED - time") 
|dedup _raw
|rex field=_raw "Job gc01\w+ - started - time=\((?\d+\-\d+\-\d+\-\d+\.\d+\.\d+)"
|rex field=_raw "Job gc01\w+ - ended - time=\((?\d+\-\d+\-\d+\-\d+\.\d+\.\d+)"
|eval duration=strptime(EndTime ,"%Y-%m-%d-%H.%M.%S")-strptime(StartTime, "%Y-%m-%d-%H.%M.%S")
|stats values(Start_Time) values(End_Time) values(duration)  by Job_Name
0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

SplunkTrust
SplunkTrust

can you elaborate?
seems like you are subtracting already:
|eval duration=strptime(EndTime ,"%Y-%m-%d-%H.%M.%S")-strptime(StartTime, "%Y-%m-%d-%H.%M.%S")

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

Path Finder

The above one is not giving the result.

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

SplunkTrust
SplunkTrust

can you share some masked sample data?
also take a look at this answer:
https://answers.splunk.com/answers/663124/how-to-subtract-the-below.html

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

SplunkTrust
SplunkTrust

You're not getting result for duration as, in any event, you'll either have StartTime or EndTime, not both. You'd need to run some statistics command to bring them both in same event/row and then do the calculation.

Assuming your date format is correct and there is only one execution of a job recorded in the selected time range, try something like this

index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "gc01*" "started - time=" OR ("ended - time=" OR "ENDED - time") 
 |dedup _raw |rex field=_raw "Job gc01\w+ - (?<action>\w+) - time=\((?<timestamp>\d+\-\d+\-\d+\-\d+\.\d+\.\d+)"
 | chart values(timestamp) over Job_Name by action | rename started as StartTime ended as EndTime
 |eval duration=strptime(EndTime,"%Y-%m-%d-%H.%M.%S")-strptime(StartTime, "%Y-%m-%d-%H.%M.%S")

The query will be little different if there can be multiple execution of a job in the given time range.

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

Path Finder

Hi,

The query which I am using is.
index=autoprodiw* "/afiw/batch/scripts/gc01.ksh" "gc01" "started - time=" OR ("ended - time=" OR "ENDED - time")

|dedup _raw

|rex field=_raw "Job gc01\w+ - started - time=((?\d+-\d+-\d+-\d+.\d+.\d+)"

|rex field=_raw "Job gc01\w+ - ended - time=((?\d+-\d+-\d+-\d+.\d+.\d+)"

|eval duration=strptime(EndTime ,"%Y-%m-%d-%H.%M.%S")-strptime(StartTime, "%Y-%m-%d-%H.%M.%S")

|stats values(StartTime) values(EndTime) values(duration) by Job_Name

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

Path Finder

Yes,

There are multiple execution of job in a time range.and so with help of field extraction I am taking the start and end time in the field in which you have mentioned as field "action".can you please tell me in that scenario

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

SplunkTrust
SplunkTrust

Give this a try

index=auto_prod_iw* "/afiw/batch/scripts/gc01*.ksh" "gc01*" "started - time=" OR ("ended - time=" OR "ENDED - time") 
  |dedup _raw |rex field=_raw "Job gc01\w+ - (?<action>\w+) - time=\((?<timestamp>\d+\-\d+\-\d+\-\d+\.\d+\.\d+)"
  | chart list(timestamp) over Job_Name by action | rename started as StartTime ended as EndTime
  | eval temp=mvzip(StartTime, EndTime,"##") | mvexpand temp | rex field=temp "(?<StartTime>.+)##(?<EndTime>.+)"
  |eval duration=strptime(EndTime,"%Y-%m-%d-%H.%M.%S")-strptime(StartTime, "%Y-%m-%d-%H.%M.%S")
| stats list(StartTime) list(EndTime) list(duration) by Job_Name

View solution in original post

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

Path Finder

Hi somesoni2,

Thanks, This is working.
Can you please explain the query?

0 Karma
Highlighted

Re: How to edit my search using a start time and an end time to list the duration in my results?

Path Finder

Hi somesoni2,

Please explain the below part in your above query and why this is required?

| eval temp=mvzip(StartTime, EndTime,"##") | mvexpand temp | rex field=temp "(?.+)##(?.+)"

0 Karma