Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding miliseconds to "duration"

Aqawelska
Observer
‎05-19-2022 03:50 AM

Hi all ,

I got this search query which checks the time difference between two events and it works great but I would like also to see the milliseconds of that calculation but at the moment it just shows H:MM:SS

"Duration" is which shows me the output from a toString eval but I would like it to show also milliseconds , anyone could help me out on this one ?

 

 

 

index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied
| where host="AUDIINSA4919" OR host="AUDIINSA4304"
| stats 
     earliest(_time) AS Start_time 
     latest(_time) AS Finished_time 
     by host
| eval Latency=tostring(Finished_time-Start_time, "duration")<----- here
| table Start_time , Finished_time , Latency , host
| fieldformat Finished_time=strftime(Finished_time,"%d/%m/%y %H:%M:%S.%3N")
| fieldformat Start_time=strftime(Start_time,"%d/%m/%y %H:%M:%S.%3N")

 

 

 


Output is (latency should be H:MM:SS:milliseconds) :

  Start_time                                   Finished_time                            Latency           host

119/05/22 03:30:03.00019/05/22 03:42:02.00000:11:59AUDIINSA4919
Labels (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 04:20 AM

Try this

| eval Latency=tostring(Finished_time-Start_time+0.000, "duration")
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...