Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the difference between time stamps in 2 different events?

MWAKburns
Engager
‎06-15-2017 01:11 PM

Hello!

I am have a bunch of logs stating when a job has started and finished. I have been asked to find a way to tell how long the job took to run. I am having some trouble finding the best way to do this. Here the raw data of the logs:

CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN  
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN  
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN  
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN  
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START

I have been stumped on how to make this work. I was thinking the goal output would be to combine the 2 matching job events (1 Job START and 1 Job FIN) and have the difference between the time stamps as a new field, but I am not sure if this is even possible.

Any ideas would be helpful!

0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2017 01:45 PM

Like this:

| makeresults 
| eval raw="CONS02^NO> 18:01:09.489 18:01:10   EDTMFD FIN
CONS02^NO> 18:01:09.089 18:01:10   FMMFD  FIN
CONS02^NO> 18:01:09.089 18:01:10   EDTMFD START
CONS02^NO> 18:00:04.514 18:00:04   FTPFIL FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPST  FIN
CONS02^NO> 18:00:03.758 18:00:03   FTPFIL START
CONS02^NO> 18:00:03.558 18:00:03   FTPST  START
CONS02^NO> 18:00:03.363 18:00:03   FMMFD  START
CONS02^NO> 17:55:03.753 17:55:03   FTPFIL FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPSTA FIN
CONS02^NO> 17:55:03.186 17:55:03   FTPFIL START
CONS02^NO> 17:55:02.986 17:55:02   FTPSTA START"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<host>\S+)\s+(?<_time>\S+)\s+(?<time2>\S+)\s+(?<job>\S+)\s+(?<msg>\S+)$"
| eval _time = strptime(_time, "%H:%M:%S.%3N")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| stats range(_time) BY job
0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...