Solved: Total duration of multiple events

zoebanning · ‎10-12-2021

Hello Splunk Community,

Can anyone help me build a query based on the below;

I have a batch job that has multiple steps logged as separate events. How can I calculate the total duration of the batch job (Step 1 Start - Step 5 End). Example of my output format (Dummy Data Used):

Step	Start_Time	End_Time	Duration (Hours)
1	2021-09-11 22:45:00	2021-09-11 22:45:01	00:00:01
2	2021-09-11 22:45:01	2021-09-11 22:45:20	00:00:19
3	2021-09-11 22:45:20	2021-09-11 22:58:15	00:12:55
4	2021-09-11 22:58:15	2021-09-11 22:58:39	00:00:24
5	2021-09-11 22:58:39	2021-09-11 24:20:31	01:21:52

THANK YOU!

kamlesh_vaghela · ‎10-12-2021

@zoebanning

I hope this will help you

YOUR_SEARCH
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

My Sample Search :

| makeresults | eval _raw="Step	Start_Time	End_Time	Duration (Hours)
1	2021-09-11 22:45:00	2021-09-11 22:45:01	00:00:01
2	2021-09-11 22:45:01	2021-09-11 22:45:20	00:00:19
3	2021-09-11 22:45:20	2021-09-11 22:58:15	00:12:55
4	2021-09-11 22:58:15	2021-09-11 22:58:39	00:00:24
5	2021-09-11 22:58:39	2021-09-12 00:20:31	01:21:52" | multikv forceheader=1
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

Thanks
KV
▄︻̷̿┻̿═━一 😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎10-12-2021

@zoebanning

I hope this will help you

YOUR_SEARCH
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

My Sample Search :

| makeresults | eval _raw="Step	Start_Time	End_Time	Duration (Hours)
1	2021-09-11 22:45:00	2021-09-11 22:45:01	00:00:01
2	2021-09-11 22:45:01	2021-09-11 22:45:20	00:00:19
3	2021-09-11 22:45:20	2021-09-11 22:58:15	00:12:55
4	2021-09-11 22:58:15	2021-09-11 22:58:39	00:00:24
5	2021-09-11 22:58:39	2021-09-12 00:20:31	01:21:52" | multikv forceheader=1
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

Thanks
KV
▄︻̷̿┻̿═━一 😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

zoebanning · ‎10-14-2021

Hi @kamlesh_vaghela,

Thank you, this is exactly what I was trying to achieve!

In the example below it only takes into consideration the batch steps for 1 batch job and you helped calculate the duration for this one job. Would you happen to know how to create a timechart which will show the duration of the batch jobs over a period of time (the batch usually runs overnight everyday)?

Let me know if you require additional information.

Thanks again for your outstanding help!!!

Zoe

Total duration of multiple events

eval

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Total duration of multiple events

eval

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle