Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the difference between the start and end time for each command from a script log and timechart the durations?

vasavigangana
Explorer
‎02-17-2015 11:00 PM

How do I search the difference between the start and end timestamps for each command in my script log and timechart the duration for each one?

I have a script log that looks like:

2015-02-16.46.580761857 , cmd1 = Start time of if 
2015-02-16.46.586912593 , cmd1 = end time of if 
2015-02-16.46.588503884 , cmd2 = Start time of if 
2015-02-16.46.589967322 , cmd2 = end time of if 
2015-02-16.46.591767534 , cmd3 = Start time of grep 
2015-02-16.46.595647254 , cmd3 = end time of grep 
2015-02-16.46.597398658 , cmd4 = Start time of if 
2015-02-16.46.598979442 , cmd4 = end time of if 
2015-02-16.46.600440199 , cmd5 = Start time of sed command 
2015-02-16.46.611868517 , cmd5 = end time of sed command 
2015-02-16.46.613545578 , cmd6 = Start time of if 
2015-02-16.46.614971442 , cmd6 = End time of if
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎02-18-2015 06:30 PM

What with this?
※After that, please calculate the duration .

.....your search.....|rex field=_raw "^(?P<Time>[^ ]+)\s+,\s+(?P<cmd_name>\w+)\s+=\s+(?P<status>\w+\s+\w+) of (?P<command>.+)"|eval start_time=if(status="Start time",Time,"")|eval end_time=if(status="end time" OR status="End time",Time,"")|table cmd_name,command,start_time,end_time|stats max(start_time) as start_time,max(end_time) as end_time by cmd_name,command

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎02-18-2015 06:30 PM

What with this?
※After that, please calculate the duration .

.....your search.....|rex field=_raw "^(?P<Time>[^ ]+)\s+,\s+(?P<cmd_name>\w+)\s+=\s+(?P<status>\w+\s+\w+) of (?P<command>.+)"|eval start_time=if(status="Start time",Time,"")|eval end_time=if(status="end time" OR status="End time",Time,"")|table cmd_name,command,start_time,end_time|stats max(start_time) as start_time,max(end_time) as end_time by cmd_name,command

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

vasavigangana
Explorer
‎03-25-2015 10:33 PM

.....your search.....|rex field=_raw "^(?P[^ ]+)\s+,\s+(?P\w+)\s+=\s+(?P\w+\s+\w+) of (?P.+)"|eval start_time=if(status="Start time",Time,"")|eval end_time=if(status="end time" OR status="End time",Time,"")|table cmd_name,command,start_time,end_time|stats max(start_time) as start_time,max(end_time) as end_time by cmd_name,command

THE ABOVE QUERIE NOT WORKING ANY ONE CAN HELP ME ON THIS QUESTION URGENT........

EITHER I HAVE TO ANY CONFIGURATION THAT I HAVE TO TAKE CONG FILE THAT SPEC OR EXAMPLE CONFG FILE PLEASE HELP ONTHIS

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 1 release of new security content via the ...

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...