topic Re: How can I subtract two timestamp fields in a transaction to get duration? in Getting Data In

How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 09:19:55 GMT

Helllo, I've been trying to subtract two timestamp fields from each other within a transaction. A timestamp as such:

2018-12-11T09:54:16.869+01:00
2018-12-11T09:54:16.874+01:00

The current search I'm using is as follows:

index=testindex sourcetype="_json" 
| transaction engine.correlationId startswith="tracepoint=Entry" endswith="tracepoint=Exit" mvlist=engine.currentTimestamp
| eval firstValue1=mvindex(engine.currentTimestamp,0) 
| eval secondValue1=mvindex(engine.currentTimestamp,1) 

| eval end_time_epoch = strptime(firstValue1, "%Y-%m-%dT%H:%M:%S.%f")
| eval begin_time_epoch = strptime(secondValue1, "%Y-%m-%dT%H:%M:%S.%f")
| eval duration = end_time_epoch - begin_time_epoch

| table engine.currentTimestamp firstValue1 secondValue1 duration

I was expecting to get "duration" as the two timestamps subtracted from the from each other, which would give the difference in milliseconds. For some reason, only engine.currentTimestamp is returning the multiple timestamp-values of the transaction and the other fields are returning empty in the table.

Perhaps it is the mvlist, which isn't working, but it could also be the calculation since it is trying to subtract within a transaction that has 2 or 3 timestamps from 2 or 3 events.

Any ideas?

Thanks in advance!

Re: How can I subtract two timestamp fields in a transaction to get duration?

whrg — Tue, 11 Dec 2018 12:23:05 GMT

Hi! Can you post the value of engine.currentTimestamp of one sample event?

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 12:30:32 GMT

Hi whrg,

A single value would be as follows:
"currentTimestamp": "2018-12-11T13:24:16.869+01:00"
Though in a transaction it would have multiple timestamps.

Re: How can I subtract two timestamp fields in a transaction to get duration?

whrg — Tue, 11 Dec 2018 12:41:40 GMT

Having a look at Date and time format variables, %f is not listed. So you might need to change the time format for the strptime function.

Perhaps this will work better:

| makeresults count=1 | eval timestamp="2018-12-11T13:24:16.869+01:00"
| eval epoch_time = strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%3N%:z")

Re: How can I subtract two timestamp fields in a transaction to get duration?

whrg — Tue, 11 Dec 2018 12:49:28 GMT

Does engine.currentTimestamp exist as a multivalue field after the transaction command?

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 12:51:43 GMT

This seems to have fixed the time layout, as this command works. Something else seems to be going on though.

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 12:53:28 GMT

Not too sure how to check this

Re: How can I subtract two timestamp fields in a transaction to get duration?

whrg — Tue, 11 Dec 2018 12:55:39 GMT

Search for index=... | transaction ...
(That is, remove the lines after transaction.)

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 13:06:47 GMT

This is what it returns as one event with the transaction command:

 {
    "engine": {
      "currentTimestamp": "2018-12-11T13:54:16.869+01:00",
      "localization": "Central European Time",
      "processId": "10790@DESKTOP-68CLR",
      "applicationName": "cr_quotes",
      "messageId": "de1d3e0-fd4311e8-811c-005056a4ee"
    },
    "tracepoint": "Entry"
  }
{
    "engine": {
      "currentTimestamp": "2018-12-11T13:54:16.967+01:00",
      "localization": "Central European Time",
      "processId": "10790@DESKTOP-68CLR",
      "applicationName": "cr_quotes",
      "messageId": "de46d3e0-fd43-11e8-8f1c-0050563ee"
    },
    "tracepoint": "Exit"
  }

Hope this answers the question!

Re: How can I subtract two timestamp fields in a transaction to get duration?

whrg — Tue, 11 Dec 2018 14:42:52 GMT

Hi again! Apparently, the issue lies with this line:

| eval firstValue1=mvindex(engine.currentTimestamp,0)

I believe the dot is causing the issue. Can you try this:

| eval firstValue1=mvindex("engine.currentTimestamp",0)

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 19:19:32 GMT

You were right, the dot caused an issue. I believe there is something I'm missing though. I was expecting the firstValue1 and secondValue1 to set the value of the timestamp, not the name of the field. Heres a sample output below:

Perhaps something with mvlist or mvindex?

Re: How can I subtract two timestamp fields in a transaction to get duration?

whrg — Tue, 11 Dec 2018 20:02:33 GMT

Instead of double quotes, try single quotes as I just read here: Dealing with field names with a period in it

| eval firstValue1=mvindex('engine.currentTimestamp',0)

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Tue, 11 Dec 2018 20:15:00 GMT

Fixed it, turns out indeed the dot between "engine.currentTimestamp" was causing the problem.
a simple "rename *** AS ****" fixed the problem. Thanks for the input whrg!

Re: How can I subtract two timestamp fields in a transaction to get duration?

ykoolhout — Wed, 12 Dec 2018 08:44:30 GMT

Guess it's so simple you look over it. But the single quotes work aswell! Thanks.