Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you calculate time taken by process with date and generate a report from it where input is a log file?

shubhambhagat02
New Member
‎10-16-2018 05:03 AM

My log file is like
02/04/2018 - 06:27:23 --- process 1 started
02/04/2018 - 06:28:23 --- process 1 completed
02/04/2018 - 06:28:23 --- backup initiated
02/04/2018 - 06:30:23 --- mail sent
02/04/2018 - 06:31:23 --- 'back up completed

I want to calculate time taken by " backup initiated" to "back up completed" with date. I want to generate a report for date and time taken by the process.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-16-2018 07:13 AM

@shubhambhagat02

If you do not have a common field for each events to denote a start//finish, try using transaction

your searches | transaction startswith="backup initiated" endswith="back up completed" maxspan=10m

Above gives you a "duration". Maxspan should be changed according to your process durations

OR

If there are only two events in a day, then set the time rande to that day and 

search "backup*"|stats earliest(_time) as backup_start_time,latest(_time) as backup_end_time|eval duration=backup_end_time-backup_start_time
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-16-2018 07:13 AM

@shubhambhagat02

If you do not have a common field for each events to denote a start//finish, try using transaction

your searches | transaction startswith="backup initiated" endswith="back up completed" maxspan=10m

Above gives you a "duration". Maxspan should be changed according to your process durations

OR

If there are only two events in a day, then set the time rande to that day and 

search "backup*"|stats earliest(_time) as backup_start_time,latest(_time) as backup_end_time|eval duration=backup_end_time-backup_start_time
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...