Solved: Creating a render time field

lifetech · ‎02-27-2012

Hi, was wondering if what I am trying to do is possible. I have a program that spits out the amount of time it takes to render a webpage that looks like:

HWFastProductDetailAjax took 345ms

I have no problems creating a field that gets the 345 time out, however within the log I also get:

SavePickupOptions took 1m, 78s, 540ms

With the field I created, it only see's the 1 which is inaccurate. What I would like to accomplish is if the took LIKE *m, *s, *ms then make the field something like (($s * 1000) + $ms) where $s would be seconds and $ms is milliseconds.

gkanapathy · ‎02-27-2012

No, but you can extract the minutes and seconds fields separately, then simply apply eval:

... | eval t_ms=(m*60000)+(s*1000)+ms

And then do whatever else you wanted:

...  |  eval t_ms=(m*60000)+(s*1000)+ms | stats avg(t_ms) by method_name

... SavePickOptions AND host=blah  |  eval t_ms=(m*60000)+(s*1000)+ms | where t_ms > 7000

View solution in original post

gkanapathy · ‎02-27-2012

No, but you can extract the minutes and seconds fields separately, then simply apply eval:

... | eval t_ms=(m*60000)+(s*1000)+ms

And then do whatever else you wanted:

...  |  eval t_ms=(m*60000)+(s*1000)+ms | stats avg(t_ms) by method_name

... SavePickOptions AND host=blah  |  eval t_ms=(m*60000)+(s*1000)+ms | where t_ms > 7000

Creating a render time field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Creating a render time field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem