Re: Looking to create a chart that displays run ti...

fisuser1 · ‎03-13-2014

Hello, looking to create a data table that displays run time values of a batch jobs... Example of this would be defined below.

The DEPI_H element would be the start of the job, the DEPI_T element would be completion of the job. I am looking to create a table in Splunk that outputs the total runtime into a data table. Forgive my ignorance these, new to creating these...

AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T
AA1212|03/13/2014|06:33:03|03/13/2014|06:33:06|1212DEPI|XSFTP_EPI8
AA1212|03/13/2014|06:33:00|03/13/2014|06:33:02|1212DEPI|XSFTP_EPI7
AA1212|03/13/2014|06:32:57|03/13/2014|06:32:59|1212DEPI|XSFTP_EPI6
AA1212|03/13/2014|06:32:53|03/13/2014|06:32:56|1212DEPI|XSFTP_EPI5
AA1212|03/13/2014|06:32:50|03/13/2014|06:32:52|1212DEPI|XSFTP_EPI4
AA1212|03/13/2014|06:32:47|03/13/2014|06:32:49|1212DEPI|XSFTP_EPI3
AA1212|03/13/2014|06:32:44|03/13/2014|06:32:46|1212DEPI|XSFTP_EPI2
AA1212|03/13/2014|06:32:39|03/13/2014|06:32:43|1212DEPI|XSFTP_EPI1
AA1212|03/13/2014|06:32:37|03/13/2014|06:32:38|1212DEPI|XGETEPITZP
AA1212|03/13/2014|06:32:31|03/13/2014|06:32:36|1212DEPI|PZGETEPIT
AA1212|03/13/2014|06:31:28|03/13/2014|06:32:30|1212DEPI|XMONEPIT_
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H

somesoni2 · ‎03-13-2014

Assuming your have field names like

field1|startDate|startTime|endDate|endTime|field2|field3

If you are interested in whole duration between and including event with DEPI_H to event with DEPI_T, try this

your base search | eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1

where field1 is the unique id for different batch run.

If you just want the duration of event with DEPI_H and DEPI_T, try this

your base search (field3="DEPI_H" OR field3="DEPI_T")| eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1

fisuser1 · ‎03-13-2014

Many thanks, I will give this a try!

fisuser1 · ‎03-13-2014

Yes, in this case, AA1212 is the identifier...

somesoni2 · ‎03-13-2014

Finally, since these events are for one batch run, do you have any field which separates different, some kind of Id?

fisuser1 · ‎03-13-2014

Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H
and
AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T

fisuser1 · ‎03-13-2014

Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.

AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H

and

AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T

somesoni2 · ‎03-13-2014

Are the fields extracted already? For duration , you want the sum of duration of each event of total duration from DEPI_H to DEPI_T?

Looking to create a chart that displays run time values

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!