Tring to get the time diffrence between end time of job and start time.but when i am running this query for long period it providing me less data.
index=hybecmprod OR index=hybadmprod host=HYBadmprd* fullProductAndStockFeedJob* "start job" OR "end job"
| eval Status=case(like(_raw,"%Start%"),"Start_Job",like(_raw,"%End%"),"End_Job")
|eval CronJob=case(like(_raw,"%fullProductAndStockFeedJob_1%"),"fullProductAndStockFeedJob_1",like(_raw,"%fullProductAndStockFeedJob_2%"),"fullProductAndStockFeedJob_2")
| eval host=case(like(host,"%HYBADMPRDAP%"),"AP",like(host,"%HYBADMPRDAM%"),"AM",like(host,"%HYBADMPRDEU1%"),"EU1",like(host,"%HYBADMPRDEU2%"),"EU2",like(host,"%HYBADMPRDEU3%"),"EU3")
| eval USERINFO=case(like(_raw,"%Start%"), host+":"+Status,like(_raw,"%End%"), host+":"+Status )
| rex field=USERINFO "(?<host>.*):(?<Status>.*)"
| eval startingTime=case(Status="Start_Job", _time)
| eval Endtime=case(Status="End_Job", _time)
| stats first(startingTime) as startingTime earliest(_time) as _time first(Endtime) as Endtime by host CronJob
| eval Time_taken=abs(Endtime-startingTime)
| eval JobStatus=case(Time_taken!="","Finished",1=1,"Running")
| fillnull
| lookup Market1.csv host CronJob OUTPUTNEW Market
| fields - startingTime
| rename _time as StartingTime
| eval Endtime=strftime(Endtime,"%Y/%m/%d %H:%M:%S")
| eval StartingTime=strftime(StartingTime,"%Y/%m/%d %H:%M:%S")
| eval Endtime=replace(Endtime,"1970/01/01 01:00:00","NA")
... View more