index=foo
| rex "^(?<datetime>\d+\s\d+)\s\((?<job_id>\d+)\)"
| eval timestamp = strptime(datetime,"%m%d %H%M%S")
| eval job_start_time = if(match(_raw, "Log initialized"), timestamp, null())
| eval job_end_time = if(match(_raw, "EMail Sent Successfully"), timestamp, null())
| stats values(job_start_time) AS Start, values(job_end_time) AS End by job_id
| eval durationInSec = End-Start
| eval Start = strftime(Start, "%D %T"), End = strftime(End, "%D %T")
... View more