Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find total execution time for multiple events?

din98
Explorer
‎07-25-2022 08:38 AM

Hey all,

I have a summary table that shows these values. Each error log and log in the 'Total logs' column (which contains error logs and successful logs) have a unique timestamp.

ProcessError logsTotal logs
A510
B615
C79

 

 

I want to find the total execution time for the error logs and the total logs for each process by adding the total execution times of the error/successful logs under each process. I am hoping to get a summary table like the one shown below.

ProcessError logsTotal logsTotal execution time
A5102 minutes
B61550 seconds
C794 minutes

 

Any help would be much appreciated. Thanks!

Labels (7)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2022 12:41 AM 
| eval starttime=strptime(started,"%Y-%m-%d %H:%M:%S.%7Q%:z")
| eval endtime=strptime(ended,"%Y-%m-%d %H:%M:%S.%7Q%:z")
| eval duration=endtime-starttime
| stats sum(errorLogs) as errorLogs sum(totalLogs) as totalLogs sum(duration) as duration by process
| fieldformat duration=tostring(duration, "duration")
0 Karma
Reply

din98
Explorer
‎07-26-2022 06:58 AM

Hi @ITWhisperer,

I tried that query but the 'duration' column only shows blank fields.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2022 07:29 AM

Please try this runanywhere example to see if the functions work in your environment

| makeresults
| eval started="2022-07-25 11:35:17.3605798+00:00"
| eval ended="2022-07-25 11:48:55.4371325+00:00"
| eval starttime=strptime(started,"%Y-%m-%d %H:%M:%S.%7Q%:z")
| eval endtime=strptime(ended,"%Y-%m-%d %H:%M:%S.%7Q%:z")
| eval duration=endtime-starttime
| fieldformat duration=tostring(duration,"duration")
0 Karma
Reply

din98
Explorer
‎07-25-2022 10:11 PM

@kamlesh_vaghela

here is the sample.

 

Untitled.png

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-25-2022 08:45 AM
@din98
Can you please share all sample events as well with the timestamp, error logs, and successful logs? This will be helpful to suggest proper solution.
KV
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...