Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Total duration of multiple events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunk Community,
Can anyone help me build a query based on the below;
I have a batch job that has multiple steps logged as separate events. How can I calculate the total duration of the batch job (Step 1 Start - Step 5 End). Example of my output format (Dummy Data Used):
| Step | Start_Time | End_Time | Duration (Hours) |
| 1 | 2021-09-11 22:45:00 | 2021-09-11 22:45:01 | 00:00:01 |
| 2 | 2021-09-11 22:45:01 | 2021-09-11 22:45:20 | 00:00:19 |
| 3 | 2021-09-11 22:45:20 | 2021-09-11 22:58:15 | 00:12:55 |
| 4 | 2021-09-11 22:58:15 | 2021-09-11 22:58:39 | 00:00:24 |
| 5 | 2021-09-11 22:58:39 | 2021-09-11 24:20:31 | 01:21:52 |
THANK YOU!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope this will help you
YOUR_SEARCH
| table Step Start_Time End_Time Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
My Sample Search :
| makeresults | eval _raw="Step Start_Time End_Time Duration (Hours)
1 2021-09-11 22:45:00 2021-09-11 22:45:01 00:00:01
2 2021-09-11 22:45:01 2021-09-11 22:45:20 00:00:19
3 2021-09-11 22:45:20 2021-09-11 22:58:15 00:12:55
4 2021-09-11 22:58:15 2021-09-11 22:58:39 00:00:24
5 2021-09-11 22:58:39 2021-09-12 00:20:31 01:21:52" | multikv forceheader=1
| table Step Start_Time End_Time Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope this will help you
YOUR_SEARCH
| table Step Start_Time End_Time Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
My Sample Search :
| makeresults | eval _raw="Step Start_Time End_Time Duration (Hours)
1 2021-09-11 22:45:00 2021-09-11 22:45:01 00:00:01
2 2021-09-11 22:45:01 2021-09-11 22:45:20 00:00:19
3 2021-09-11 22:45:20 2021-09-11 22:58:15 00:12:55
4 2021-09-11 22:58:15 2021-09-11 22:58:39 00:00:24
5 2021-09-11 22:58:39 2021-09-12 00:20:31 01:21:52" | multikv forceheader=1
| table Step Start_Time End_Time Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kamlesh_vaghela,
Thank you, this is exactly what I was trying to achieve!
In the example below it only takes into consideration the batch steps for 1 batch job and you helped calculate the duration for this one job. Would you happen to know how to create a timechart which will show the duration of the batch jobs over a period of time (the batch usually runs overnight everyday)?
Let me know if you require additional information.
Thanks again for your outstanding help!!!
Zoe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
