Splunk Search
Highlighted

Trying to find the 'run time' difference between two daily jobs

Communicator

Hello -

I am trying to find a way to display the daily run time of a job that kicks off daily. I am trying to create a display table that shows the start time of the job, the end time of the job and the amount of time the job took to complete daily.

The start time can be defined by: ZSTRTMAIL
And the end time can be defined by: ZENDMAIL

I've created the search below, but it does not seem to be calcuting the time differnece between when ZSTRTMAIL starts and ZENDMAIL ends. Any help would be greatly appreciated.

<event>
  <searchString>sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval Start=strptime(StartDate." ".StartTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".EndTime,"%m/%d/%Y %H:%M:%S") | eval Duration=End-Start | stats sum(Duration) as TotalDurationSecs by ClientName | table ClientName, Start, End, TotalDurationSecs</searchString>
  <earliestTime>-7d</earliestTime>
  <latestTime>now</latestTime>
</event>
0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

SplunkTrust
SplunkTrust

Try this search. Note: the field "duration" is auto calculated as part of the transaction command.

sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval Start=strptime(StartDate." ".StartTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".EndTime,"%m/%d/%Y %H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAiL" maxspan=8h ClientName | stats sum(duration) as TotalDurationSecs by ClientName | table ClientName, Start, End, TotalDurationSecs
0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

SplunkTrust
SplunkTrust

Can you provide some sample logs? Its a pretty regulation requirement and sample can help get you closest answer.

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

Communicator

Sure...

Detail Data consists of Company|Start Date|Start Time|End Date|End Time|Session|UPROC

PP1800|07/07/2014|1404707403000|07/07/2014|1404707404000|1800DEOD|ZSTRTMAIL
PP1800|07/07/2014|1404717862000|07/07/2014|1404717863000|1800DDDP|ZENDMAIL
PP3500|07/07/2014|1404705805000|07/07/2014|1404705806000|3500DEOD|ZSTRTMAIL
PP3500|07/07/2014|1404706391000|07/07/2014|1404706393000|3500DDDP|ZENDMAIL
PP7700|07/06/2014|1404704440000|07/06/2014|1404704443000|7700DEOD|ZSTRTMAIL
PP7700|07/07/2014|1404713856000|07/07/2014|1404713861000|7700DDDP|ZENDMAIL

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

SplunkTrust
SplunkTrust

Try this (please validate the field names as the fields in your logs and your query in the question seems to be different)

sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime,"%H:%M:%S") 
| eval End=EndDate." ".strftime(EndTime,"%H:%M:%S") 
| transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" Company | eval TotalDurationSecs=EndTime - StartTime | table Company Start End TotalDurationSecs

View solution in original post

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

Communicator

Thank you! This looks MUCH better! I am seeing inaccurate years populated in the table, any suggestions?

ClientName Start End TotalDurationSecs
01/08/1978 03:46:48 01/08/1978 04:03:28 1000
12/20/1977 15:53:28 12/20/1977 16:10:08 1000
12/04/1977 20:43:28 12/04/1977 21:33:28 3000
11/30/1977 07:16:48 11/30/1977 07:50:08 2000
11/17/1977 17:03:28 11/17/1977 17:20:08 1000
11/11/1977 23:16:48 11/11/1977 23:33:28 1000
11/06/1977 23:50:08 11/07/1977 01:13:28 5000
10/17/1977 00:06:48 10/17/1977 00:23:28 1000

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

Communicator

This is what it displays in the Events running the command.

PP1800|07/07/2014|1404707403000|07/07/2014|1404707404000|1800DEOD|ZSTRTMAIL
PP1800|07/07/2014|1404717862000|07/07/2014|1404717863000|1800DDDP|ZENDMAIL
PP3500|07/07/2014|1404705805000|07/07/2014|1404705806000|3500DEOD|ZSTRTMAIL
PP3500|07/07/2014|1404706391000|07/07/2014|1404706393000|3500DDDP|ZENDMAIL
PP7700|07/06/2014|1404704440000|07/06/2014|1404704443000|7700DEOD|ZSTRTMAIL
PP7700|07/07/2014|1404713856000|07/07/2014|1404713861000|7700DDDP|ZENDMAIL

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

SplunkTrust
SplunkTrust

can you share the query that you're running? The output should be in table format from the query that I suggested.

0 Karma
Highlighted

Re: Trying to find the 'run time' difference between two daily jobs

Communicator

Thanks again. This is the query:
sourcetype=PROFILEDAYENDSTATS ClientName = "*" (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=strptime(StartDate." ".strftime(StartTime,"%H:%M:%S"),"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".strftime(EndTime,"%H:%M:%S"),"%m/%d/%Y %H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" ClietName | eval TotalDurationSecs=EndTime - StartTime | table ClientName Start End TotalDurationSecs

0 Karma