Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the start and end time based on key words in logs?

merc14
Explorer
‎02-05-2023 06:55 PM

Hi folks looking for some expert opinion.

my logs contains many diff files. I want to capture the start and end time for each file 

the logs looks like this

timestamp 202301_filex_a_b.z started execution

timestamp 202301_filex_a_b.z finished execution

timestamp 202301_filey_e_f.z started execution

timestamp 202301_filey_e_f.z finished execution

The output would look something like

filex | start timestamp | end timestamp | duration

filey | start timestamp | end timestamp | duration

I was able to do write diff search for start and end and then join them on the filename, but wondering if there is a better way to do it

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-05-2023 07:47 PM

Simple method is

| stats min(_time) as start max(_time) as end by file
| eval duration=end-start

That assumes the following

  • you have a field "file" containing the file name
  • _time is the log timestamp of the event
  • there are only 2 log messages per file and start always comes before end

It simply calculates the minimum and maximum value for the time and then calculates duration

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-05-2023 07:47 PM

Simple method is

| stats min(_time) as start max(_time) as end by file
| eval duration=end-start

That assumes the following

  • you have a field "file" containing the file name
  • _time is the log timestamp of the event
  • there are only 2 log messages per file and start always comes before end

It simply calculates the minimum and maximum value for the time and then calculates duration

0 Karma
Reply
Solved! Jump to solution

merc14
Explorer
‎02-06-2023 08:32 PM

need one more clarification, here file is a substring (filex, filey), can you please let me know how I can get the value for file  and combine it with | stats 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-06-2023 09:59 PM

Use rex to extract the file name portion from the string that you want.

For example, if you have the _raw string which contains your data as in your example, you can do this regular expression to extract the filex/filey parts

| rex " \d{6}_(?<file>[A-Za-z0-9]+)"

that looks for a space + 6 digits then an _ before it then extracts a new field called "file" containing just the characters in the square brackets.

If you already have a field containing that entire string, then use

| rex field=your_field "\d{6}_(?<file>[A-Za-z0-9]+)"

or change the regex as needed. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...