Dashboards & Visualizations

Why are we encountering an issue while fetching response time?

sagar1992
Explorer

HI Team,

I am using below query, but i want diff column in seconds format, but not sure, it is showing 00:00:19.000000.

I just have to minus response-request. have converted to epoch also.

2019-03-15T05:57:02 - 2019-03-15T05:56:43 == result should be in sec

query is below

index="test_mulesoft" source=RoyalCaninOMSDev "*ProcessOrder*" | rex field=_raw "corelationid.*:\W+(?.*)\"" |  eval DateTime=strftime(_time,"%Y-%m-%dT%H:%M:%S") | eventstats earliest(DateTime) as request, latest(DateTime) as response by Request_Id  | eval it = strptime(request, "%Y-%m-%dT%H:%M:%S") | eval ot = strptime(response, "%Y-%m-%dT%H:%M:%S") | eval diff = tostring((ot - it), "duration") | table Request_Id,request,response,it,ot,diff

alt text

ext]1

Thanks
Sagar

Tags (2)
0 Karma
1 Solution

nickhills
Ultra Champion

Hi @sagar1992

This should subtract the two epoch values and round to the second.

...| eval it = strptime(request, "%Y-%m-%dT%H:%M:%S") | eval ot = strptime(response, "%Y-%m-%dT%H:%M:%S") | eval diff_sec =round(ot - it,0)
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Hi @sagar1992

This should subtract the two epoch values and round to the second.

...| eval it = strptime(request, "%Y-%m-%dT%H:%M:%S") | eval ot = strptime(response, "%Y-%m-%dT%H:%M:%S") | eval diff_sec =round(ot - it,0)
If my comment helps, please give it a thumbs up!
0 Karma

sagar1992
Explorer

Awesome, This Worked!!

Thanks @nickhillscpl

0 Karma

nickhills
Ultra Champion

Glad to have helped. Please upvote to help others in the future!
All the best.

If my comment helps, please give it a thumbs up!
0 Karma

harishalipaka
Motivator

hi @sagar1992

index="test_mulesoft" source=RoyalCaninOMSDev "ProcessOrder" | rex field=_raw "corelationid.:\W+(?.)\"" | eval DateTime=strftime(_time,"%Y-%m-%dT%H:%M:%S") | eventstats earliest(DateTime) as request, latest(DateTime) as response by Request_Id | eval it = strptime(request, "%Y-%m-%dT%H:%M:%S") | eval ot = strptime(response, "%Y-%m-%dT%H:%M:%S") | eval diff = ot - it
Thanks
Harish
0 Karma

sagar1992
Explorer

it is doing subtraction of epoch, i need that output to be in seconds.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...