Splunk Search

Trying to find the 'run time' difference between two daily jobs

Communicator

Hello -

I am trying to find a way to display the daily run time of a job that kicks off daily. I am trying to create a display table that shows the start time of the job, the end time of the job and the amount of time the job took to complete daily.

The start time can be defined by: ZSTRTMAIL
And the end time can be defined by: ZENDMAIL

I've created the search below, but it does not seem to be calcuting the time differnece between when ZSTRTMAIL starts and ZENDMAIL ends. Any help would be greatly appreciated.

<event>
  <searchString>sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval Start=strptime(StartDate." ".StartTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".EndTime,"%m/%d/%Y %H:%M:%S") | eval Duration=End-Start | stats sum(Duration) as TotalDurationSecs by ClientName | table ClientName, Start, End, TotalDurationSecs</searchString>
  <earliestTime>-7d</earliestTime>
  <latestTime>now</latestTime>
</event>
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this (please validate the field names as the fields in your logs and your query in the question seems to be different)

sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime,"%H:%M:%S") 
| eval End=EndDate." ".strftime(EndTime,"%H:%M:%S") 
| transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" Company | eval TotalDurationSecs=EndTime - StartTime | table Company Start End TotalDurationSecs

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this (please validate the field names as the fields in your logs and your query in the question seems to be different)

sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime,"%H:%M:%S") 
| eval End=EndDate." ".strftime(EndTime,"%H:%M:%S") 
| transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" Company | eval TotalDurationSecs=EndTime - StartTime | table Company Start End TotalDurationSecs

View solution in original post

0 Karma

Communicator

That worked perfectly! Thank you somesoni2!!!

0 Karma

SplunkTrust
SplunkTrust

My bad. Try the updated answer. This should take care of formatting of Start and End.

Communicator

And this is the output of said query:

Start End TotalDurationSecs
1404719208.000000 1404720208.000000 1000
1404762808.000000 1404763808.000000 1000
1404693808.000000 1404696808.000000 3000
1404645408.000000 1404647408.000000 2000
1404680608.000000 1404681608.000000 1000
1404703008.000000 1404704008.000000 1000
1404705008.000000 1404623608.000000 5000
1404619608.000000 1404620608.000000 1000
1404655008.000000 1404656008.000000 1000
1404668408.000000 1404669408.000000 1000

0 Karma

Communicator

Thanks again. This is the query:
sourcetype=PROFILEDAYENDSTATS ClientName = "*" (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZSTRTMAIL",EndTime,null)
| eval Start=strptime(StartDate." ".strftime(StartTime,"%H:%M:%S"),"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".strftime(EndTime,"%H:%M:%S"),"%m/%d/%Y %H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" ClietName | eval TotalDurationSecs=EndTime - StartTime | table ClientName Start End TotalDurationSecs

0 Karma

SplunkTrust
SplunkTrust

can you share the query that you're running? The output should be in table format from the query that I suggested.

0 Karma

Communicator

This is what it displays in the Events running the command.

PP1800|07/07/2014|1404707403000|07/07/2014|1404707404000|1800DEOD|ZSTRTMAIL
PP1800|07/07/2014|1404717862000|07/07/2014|1404717863000|1800DDDP|ZENDMAIL
PP3500|07/07/2014|1404705805000|07/07/2014|1404705806000|3500DEOD|ZSTRTMAIL
PP3500|07/07/2014|1404706391000|07/07/2014|1404706393000|3500DDDP|ZENDMAIL
PP7700|07/06/2014|1404704440000|07/06/2014|1404704443000|7700DEOD|ZSTRTMAIL
PP7700|07/07/2014|1404713856000|07/07/2014|1404713861000|7700DDDP|ZENDMAIL

0 Karma

SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma

Communicator

Thank you! This looks MUCH better! I am seeing inaccurate years populated in the table, any suggestions?

ClientName Start End TotalDurationSecs
01/08/1978 03:46:48 01/08/1978 04:03:28 1000
12/20/1977 15:53:28 12/20/1977 16:10:08 1000
12/04/1977 20:43:28 12/04/1977 21:33:28 3000
11/30/1977 07:16:48 11/30/1977 07:50:08 2000
11/17/1977 17:03:28 11/17/1977 17:20:08 1000
11/11/1977 23:16:48 11/11/1977 23:33:28 1000
11/06/1977 23:50:08 11/07/1977 01:13:28 5000
10/17/1977 00:06:48 10/17/1977 00:23:28 1000

0 Karma

Communicator

Sure...

Detail Data consists of Company|Start Date|Start Time|End Date|End Time|Session|UPROC

PP1800|07/07/2014|1404707403000|07/07/2014|1404707404000|1800DEOD|ZSTRTMAIL
PP1800|07/07/2014|1404717862000|07/07/2014|1404717863000|1800DDDP|ZENDMAIL
PP3500|07/07/2014|1404705805000|07/07/2014|1404705806000|3500DEOD|ZSTRTMAIL
PP3500|07/07/2014|1404706391000|07/07/2014|1404706393000|3500DDDP|ZENDMAIL
PP7700|07/06/2014|1404704440000|07/06/2014|1404704443000|7700DEOD|ZSTRTMAIL
PP7700|07/07/2014|1404713856000|07/07/2014|1404713861000|7700DDDP|ZENDMAIL

0 Karma

SplunkTrust
SplunkTrust

Can you provide some sample logs? Its a pretty regulation requirement and sample can help get you closest answer.

0 Karma

SplunkTrust
SplunkTrust

Try this search. Note: the field "duration" is auto calculated as part of the transaction command.

sourcetype=DAYEND_STATS $client$ (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") | eval Start=strptime(StartDate." ".StartTime,"%m/%d/%Y %H:%M:%S") | eval End=strptime(EndDate." ".EndTime,"%m/%d/%Y %H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAiL" maxspan=8h ClientName | stats sum(duration) as TotalDurationSecs by ClientName | table ClientName, Start, End, TotalDurationSecs
0 Karma