topic Re: subtract response time value in 'ms' from the _time field and assign it to new field. in Splunk Search

subtract response time value in 'ms' from the _time field and assign it to new field.

nmohammed — Tue, 29 Sep 2020 13:02:44 GMT

Hi,

Our application logs an event at the end of completion of an api call with response time in milliseconds(ms) like this <16ms>. I have already extracted the response time into field "ex_time" . we need to find the start time of the api call and assign it to a field possibly... where the start time is difference between log event timestamp (_time) and response time (ex_time). how can we achieve this ?

start_time = _time - ex_time

The start time should be in same format as the _time field.

Sample event --

[02/28/17 10:24:12.5387] DEBUG {14679}: <6189c8b7-59f9-4c63-bb91-6b1eb4435706>MilestonesAclManager.CheckPermissions(, "2") by dren.lock/Elapssecom/b7b05b47-c853-4dcd-9dd0-3dfab3c2cf77. ,<16ms>

Any hints and help appreciated.
Thanks

Re: subtract response time value in 'ms' from the _time field and assign it to new field.

somesoni2 — Tue, 28 Feb 2017 19:28:11 GMT

The _time is a special field whose underlying values is in epoch format. Give this a try

your base search | eval start_time=_time-(ex_time/1000) | convert ctime(start_time)

You can also specify your own format like this

your base search | eval start_time=_time-round(ex_time/1000,4) | convert ctime(start_time) timeformat="%m/%d/%y %H:%M:%S.%4N")

Re: subtract response time value in 'ms' from the _time field and assign it to new field.

DalJeanis — Tue, 28 Feb 2017 20:11:33 GMT

When sending a post including code, be sure to mark it as code with the button that say 101 010. That will keep the interface from treating pieces of it as html and format instructions.

What part of your sample event is the elapsed ms?

Re: subtract response time value in 'ms' from the _time field and assign it to new field.

nmohammed — Tue, 28 Feb 2017 22:00:49 GMT

Thanks SomeSoni. the second one worked as expected.