One log line from LDAP log file
Sep 19 10:08:10 simxxx11 slapd_simxxx11: conn=3012 fd=52 ACCEPT from IP=10.100.10.102:53530 (IP=0.0.0.0:636)
I can capture the STARTTIME of the LDAP connection with a regular expression, but this gives me back a string. When I capture the STARTTIME using
rex "(?P<STARTTIME>\w+\s+\d+\s+\d+:\d+:\d+).+conn=\d+ fd=\d+ ACCEPT.+" then I have the value
Sep 19 10:08:12 in variable STARTTIME. I want to convert it to a time format.
I have tried
But this does not work.
Another log line from LDAP log file
Sep 19 10:08:12 simxxx11 slapd_simxxx: conn=3012 fd=52 closed "(?P<ENDTIME>\w+\s+\d+\s+\d+:\d+:\d+).+ conn=\d+ fd=\d+ closed"
I need to find the difference between the STARTTIME and ENDTIME.
If the timestamps you want to use for your calculations are in fact the timestamps that have been used when indexing the events, that information is available in the
_time field as an epoch value (which are great for mathematical operations).
There are several ways in which you can achieve this;
transaction, assuming that
conn is a unique id for this connection (or at least unique within an hour or so).
transaction automatically creates a new field called
your_base_search | transaction conn maxevents=2 maxspan=1m startswith="ACCEPT" endswith="closed" | table conn duration
stats. Assumptions as before.
your_base_search | stats min(_time) AS StartTime max(_time) AS EndTime by conn | eval dur = tostring((EndTime - StartTime), "duration")
You could also look at the
convert command instead of the
Some interesting reading:
Hope this helps,
Sorry, but I don't know the structure of your transactions. LDAP is not my strongest side. Is it something like;
Or is it more like;
You should probably post a few more sample events, highlighting which timstamps you need to compute durations for.
Thank you Kristian. Actually for a transaction based on conn, I can calculate the duration. But I want to calculate the individual BIND delays and SEARCH delays inside the transaction.Each operation inside a transaction has a unique op value. How can I use it to get to the individual delays.