Solved: Re: Total duration of multiple events

zoebanning · ‎10-12-2021

Hello Splunk Community,

Can anyone help me build a query based on the below;

I have a batch job that has multiple steps logged as separate events. How can I calculate the total duration of the batch job (Step 1 Start - Step 5 End). Example of my output format (Dummy Data Used):

Step	Start_Time	End_Time	Duration (Hours)
1	2021-09-11 22:45:00	2021-09-11 22:45:01	00:00:01
2	2021-09-11 22:45:01	2021-09-11 22:45:20	00:00:19
3	2021-09-11 22:45:20	2021-09-11 22:58:15	00:12:55
4	2021-09-11 22:58:15	2021-09-11 22:58:39	00:00:24
5	2021-09-11 22:58:39	2021-09-11 24:20:31	01:21:52

THANK YOU!

kamlesh_vaghela · ‎10-12-2021

@zoebanning

I hope this will help you

YOUR_SEARCH
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

My Sample Search :

| makeresults | eval _raw="Step	Start_Time	End_Time	Duration (Hours)
1	2021-09-11 22:45:00	2021-09-11 22:45:01	00:00:01
2	2021-09-11 22:45:01	2021-09-11 22:45:20	00:00:19
3	2021-09-11 22:45:20	2021-09-11 22:58:15	00:12:55
4	2021-09-11 22:58:15	2021-09-11 22:58:39	00:00:24
5	2021-09-11 22:58:39	2021-09-12 00:20:31	01:21:52" | multikv forceheader=1
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

Thanks
KV
▄︻̷̿┻̿═━一 😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎10-12-2021

@zoebanning

I hope this will help you

YOUR_SEARCH
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

My Sample Search :

| makeresults | eval _raw="Step	Start_Time	End_Time	Duration (Hours)
1	2021-09-11 22:45:00	2021-09-11 22:45:01	00:00:01
2	2021-09-11 22:45:01	2021-09-11 22:45:20	00:00:19
3	2021-09-11 22:45:20	2021-09-11 22:58:15	00:12:55
4	2021-09-11 22:58:15	2021-09-11 22:58:39	00:00:24
5	2021-09-11 22:58:39	2021-09-12 00:20:31	01:21:52" | multikv forceheader=1
| table Step	Start_Time	End_Time	Duration*
| eval start_epoch=strptime(Start_Time,"%Y-%m-%d %H:%M:%S"),end_epoch=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| stats min(start_epoch) as start_epoch max(end_epoch) as end_epoch
| eval diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")

Thanks
KV
▄︻̷̿┻̿═━一 😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

zoebanning · ‎10-14-2021

Hi @kamlesh_vaghela,

Thank you, this is exactly what I was trying to achieve!

In the example below it only takes into consideration the batch steps for 1 batch job and you helped calculate the duration for this one job. Would you happen to know how to create a timechart which will show the duration of the batch jobs over a period of time (the batch usually runs overnight everyday)?

Let me know if you require additional information.

Thanks again for your outstanding help!!!

Zoe

Total duration of multiple events

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation