Hello all, I'm trying to calculate the amount of time a job took to run from an event that looks like so:

2016-08-26 11:18:44 HistoryId="1710410", JobSource="861638A0-67C8-4661-B788-E615363436FA", JobId="6989A4FF-BD2B-43D6-8520-69A8A064600E", QueueTime="2016-08-26 15:18:32.147", StartTime="2016-08-26 15:18:32.97", EndTime="2016-08-26 15:18:38.4", AgentId="FD64361C-2F23-4496-9B69-3DDDD0D4DBA0", Result="0", ResultMessage="[Common Structures Warehouse Sync]:  ---> MakeDataChanges() result=NoChangesPending. ---> Result: Succeeded", QueuedReasons="1", QueueFlags="0", Priority="7"

Currently doing the following:

index=application | lookup tfs_jobs jobID as JobId OUTPUT jobName | eval stime=strptime(StartTime,"Y-%m-%d %H:%M:%S.%3N") | eval etime=strptime(EndTime,"Y-%m-%d %H:%M:%S.%3N") | table stime

Just to see if I can match the "StartTime" field.

But appears that stime is not even populated because the table is blank. This event is coming from a MSSQL backend and I'm not 100% i'm matching the millisecond time at the end .97 correctly. I've also seen events come in as such:

2016-08-26 10:48:44 HistoryId="1710403", JobSource="861638A0-67C8-4661-B788-E615363436FA", JobId="6989A4FF-BD2B-43D6-8520-69A8A064600E", QueueTime="2016-08-26 14:48:32.147", StartTime="2016-08-26 14:48:33.403", EndTime="2016-08-26 14:48:35.567", AgentId="FD64361C-2F23-4496-9B69-3DDDD0D4DBA0", Result="0", ResultMessage="[Common Structures Warehouse Sync]:  ---> MakeDataChanges() result=NoChangesPending. ---> Result: Succeeded", QueuedReasons="1", QueueFlags="0", Priority="7"

Which makes me conclude it's in milliseconds and I'm using the %3N.

Any assistance on what I'm doing wrong would be appreciated.

Thanks