Solved: Creating a render time field

lifetech · ‎02-27-2012

Hi, was wondering if what I am trying to do is possible. I have a program that spits out the amount of time it takes to render a webpage that looks like:

HWFastProductDetailAjax took 345ms

I have no problems creating a field that gets the 345 time out, however within the log I also get:

SavePickupOptions took 1m, 78s, 540ms

With the field I created, it only see's the 1 which is inaccurate. What I would like to accomplish is if the took LIKE *m, *s, *ms then make the field something like (($s * 1000) + $ms) where $s would be seconds and $ms is milliseconds.

gkanapathy · ‎02-27-2012

No, but you can extract the minutes and seconds fields separately, then simply apply eval:

... | eval t_ms=(m*60000)+(s*1000)+ms

And then do whatever else you wanted:

...  |  eval t_ms=(m*60000)+(s*1000)+ms | stats avg(t_ms) by method_name

... SavePickOptions AND host=blah  |  eval t_ms=(m*60000)+(s*1000)+ms | where t_ms > 7000

View solution in original post

gkanapathy · ‎02-27-2012

No, but you can extract the minutes and seconds fields separately, then simply apply eval:

... | eval t_ms=(m*60000)+(s*1000)+ms

And then do whatever else you wanted:

...  |  eval t_ms=(m*60000)+(s*1000)+ms | stats avg(t_ms) by method_name

... SavePickOptions AND host=blah  |  eval t_ms=(m*60000)+(s*1000)+ms | where t_ms > 7000

Creating a render time field

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Creating a render time field

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES