Hi Splunk heads,
I'm hoping someone might have the answer to this little issue I am facing.
I have a problem with the below search when the "Job Queued" and "Job Started" DateTime values are matching. If this is the case, the matching DateTime value will only be allocated to the "Job Queued" column, instead of slotting the timestamp into "Job Queued" and "Job Started". As a result of this, the "Variant Started" columns timestamp will be allocated to "Job Started" and the timestamp from "Variant Completed" will be allocated to "Variant Started".
Event="JobQueued" OR Event="JobProcessStarted" OR Event="VariantProcessStarted" OR Event="VariantProcessCompleted" | rename ProductionId as "Production ID" | rename JobProcessStarted as "Job Started" | rename JobQueued as "Job Queued" | rename VariantProcessStarted as "Variant Started" | rename VariantProcessCompleted as "Variant Completed" | fields DateTime JobId Event "Production ID" | stats values() as by JobId | where mvcount(Event)>1 | eval "Job Queued"=mvindex(DateTime,0) | eval "Job Started"=mvindex(DateTime,1) | eval "Variant Started"=mvindex(DateTime,2) | eval "Variant Completed"=mvindex(DateTime,3) | eval "P&P Duration"=strptime('Variant Completed',"%Y-%m-%dT%H:%M:%S") -strptime('Job Started',"%Y-%m-%dT%H:%M:%S") | eval "P&P Duration"=strftime('P&P Duration',"%H:%M:%S") | table "Production ID" JobId "Job Queued" "Job Started" "Variant Started" "Variant Completed" "P&P Duration" | sort by "Job Queued","Job Started" desc
Example result:
Production ID JobId Job Queued Job Started Variant Started Variant Completed P&P Duration
2/4080/0001#001 1B116C49-A75D-441F-89C6-B592D50BCF9A 2015-08-01T20:20:42 2015-08-01T21:10:01 2015-08-01T21:10:36
2/3995/0007#001 9B0736F4-4DAF-497B-98CC-66201C09E864 2015-08-01T13:57:04 2015-08-01T14:24:17 2015-08-01T14:24:46
Any advice would be very well appreciated.
Cheers,
F
... View more