Re: Adding miliseconds to "duration"

Aqawelska · ‎05-19-2022

Hi all ,

I got this search query which checks the time difference between two events and it works great but I would like also to see the milliseconds of that calculation but at the moment it just shows H:MM:SS

"Duration" is which shows me the output from a toString eval but I would like it to show also milliseconds , anyone could help me out on this one ?

index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied
| where host="AUDIINSA4919" OR host="AUDIINSA4304"
| stats 
     earliest(_time) AS Start_time 
     latest(_time) AS Finished_time 
     by host
| eval Latency=tostring(Finished_time-Start_time, "duration")<----- here
| table Start_time , Finished_time , Latency , host
| fieldformat Finished_time=strftime(Finished_time,"%d/%m/%y %H:%M:%S.%3N")
| fieldformat Start_time=strftime(Start_time,"%d/%m/%y %H:%M:%S.%3N")

Output is (latency should be H:MM:SS:milliseconds) :

Start_time Finished_time Latency host

1

19/05/22 03:30:03.000

19/05/22 03:42:02.000

00:11:59

AUDIINSA4919

ITWhisperer · ‎05-19-2022

Try this

| eval Latency=tostring(Finished_time-Start_time+0.000, "duration")

Adding miliseconds to "duration"

monitoring console

search head

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!