Solved: How can I subtract two timestamp fields in a trans... - Page 2

ykoolhout · ‎12-11-2018

Helllo, I've been trying to subtract two timestamp fields from each other within a transaction. A timestamp as such:

2018-12-11T09:54:16.869+01:00
2018-12-11T09:54:16.874+01:00

The current search I'm using is as follows:

index=testindex sourcetype="_json" 
| transaction engine.correlationId startswith="tracepoint=Entry" endswith="tracepoint=Exit" mvlist=engine.currentTimestamp
| eval firstValue1=mvindex(engine.currentTimestamp,0) 
| eval secondValue1=mvindex(engine.currentTimestamp,1) 

| eval end_time_epoch = strptime(firstValue1, "%Y-%m-%dT%H:%M:%S.%f")
| eval begin_time_epoch = strptime(secondValue1, "%Y-%m-%dT%H:%M:%S.%f")
| eval duration = end_time_epoch - begin_time_epoch

| table engine.currentTimestamp firstValue1 secondValue1 duration

I was expecting to get "duration" as the two timestamps subtracted from the from each other, which would give the difference in milliseconds. For some reason, only engine.currentTimestamp is returning the multiple timestamp-values of the transaction and the other fields are returning empty in the table.

Perhaps it is the mvlist, which isn't working, but it could also be the calculation since it is trying to subtract within a transaction that has 2 or 3 timestamps from 2 or 3 events.

Any ideas?

Thanks in advance!

whrg · ‎12-11-2018

Hi again! Apparently, the issue lies with this line:

| eval firstValue1=mvindex(engine.currentTimestamp,0)

I believe the dot is causing the issue. Can you try this:

| eval firstValue1=mvindex("engine.currentTimestamp",0)

View solution in original post

How can I subtract two timestamp fields in a transaction to get duration?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!