Splunk Search

Looking to create a chart that displays run time values

Communicator

Hello, looking to create a data table that displays run time values of a batch jobs... Example of this would be defined below.

The DEPIH element would be the start of the job, the DEPIT element would be completion of the job. I am looking to create a table in Splunk that outputs the total runtime into a data table. Forgive my ignorance these, new to creating these...

AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T
AA1212|03/13/2014|06:33:03|03/13/2014|06:33:06|1212DEPI|XSFTPEPI8
AA1212|03/13/2014|06:33:00|03/13/2014|06:33:02|1212DEPI|XSFTP
EPI7
AA1212|03/13/2014|06:32:57|03/13/2014|06:32:59|1212DEPI|XSFTPEPI6
AA1212|03/13/2014|06:32:53|03/13/2014|06:32:56|1212DEPI|XSFTP
EPI5
AA1212|03/13/2014|06:32:50|03/13/2014|06:32:52|1212DEPI|XSFTPEPI4
AA1212|03/13/2014|06:32:47|03/13/2014|06:32:49|1212DEPI|XSFTP
EPI3
AA1212|03/13/2014|06:32:44|03/13/2014|06:32:46|1212DEPI|XSFTPEPI2
AA1212|03/13/2014|06:32:39|03/13/2014|06:32:43|1212DEPI|XSFTP
EPI1
AA1212|03/13/2014|06:32:37|03/13/2014|06:32:38|1212DEPI|XGETEPITZP
AA1212|03/13/2014|06:32:31|03/13/2014|06:32:36|1212DEPI|PZGETEPIT
AA1212|03/13/2014|06:31:28|03/13/2014|06:32:30|1212DEPI|XMONEPIT_
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H

0 Karma

SplunkTrust
SplunkTrust

Assuming your have field names like

field1|startDate|startTime|endDate|endTime|field2|field3

If you are interested in whole duration between and including event with DEPI_H to event with DEPI_T, try this

your base search | eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1

where field1 is the unique id for different batch run.

If you just want the duration of event with DEPI_H and DEPI_T, try this

your base search (field3="DEPI_H" OR field3="DEPI_T")| eval Start=strptime(startDate." ".startTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(endDate." ".endTime,"%m/%d/%Y %H:%M:%S") | eval DurationSecs=End-Start | stats sum(DurationSecs) as TotalDurationSecs by field1
0 Karma

Communicator

Many thanks, I will give this a try!

0 Karma

Communicator

Yes, in this case, AA1212 is the identifier...

0 Karma

SplunkTrust
SplunkTrust

Finally, since these events are for one batch run, do you have any field which separates different, some kind of Id?

0 Karma

Communicator

Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.
AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPIH
and
AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI
T

0 Karma

Communicator

Hello, thanks for the response. yes fields are already extracted. I would want the sum of the event time, correct. In this case, that being.

AA1212|03/13/2014|06:30:02|03/13/2014|06:31:20|1212DEPI|DEPI_H

and

AA1212|03/13/2014|06:33:06|03/13/2014|06:33:07|1212DEPI|DEPI_T

0 Karma

SplunkTrust
SplunkTrust

Are the fields extracted already? For duration , you want the sum of duration of each event of total duration from DEPIH to DEPIT?

0 Karma