Splunk Search

F5 Networks iRule req_elapsed_time=0

EricPartington
Communicator

trying to implement the irule supplied by F5, we can get the irule to log to splunk.

We are having and issue with the req_elapsed_time field as it is always returning 0

Anyone else using that value and getting something other than 0 for a value?

We are trying to use the iRule to determine the response time for surfing via a particular pool and this value appears to be the one we need.

Tags (2)
0 Karma
1 Solution

MarioM
Motivator

which version of F5 Big-ip you use ?

Because in 11.x the Request logging parameters to get those values is RESPONSE_MSECS (The elapsed time in milliseconds (ms) between receiving the request and sending the response. )

Request Logging Profile

View solution in original post

rblair978
Explorer

I have looked into the iRule code a bit further. I reproduced this issue in my lab environment.

I made some immediate changes to the supplied iRule to correct this.
I will continue to evaluate this and provide fixes to Splunk for posting in the near future.

In the mean time here is the latest iRule. For now i copied the calculation for the req_elapsed_time to be within the context of HTTP_RESPONSE

when CLIENT_ACCEPTED {
    set client [IP::client_addr]
}

when HTTP_REQUEST {
    set vhost [HTTP::host]:[TCP::local_port]
    set url [HTTP::uri]
    set method [HTTP::method]
    set http_version [HTTP::version]
    set user_agent [HTTP::header "User-Agent"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set req_elapsed_time 0
    set virtual_server [LB::server]

    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
        if {$req_length > 4000000} then {
            set $req_length 4000000
        }
        HTTP::collect $req_length
    } else {
        set req_length 0
    }

    if { [HTTP::header "Referer"] ne "" } then {
        set referer [HTTP::header "Referer"]
    } else {
        set referer -
    }
}

when HTTP_REQUEST_DATA {
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    HTTP::release
}

when HTTP_RESPONSE {
    set hsl [HSL::open -proto TCP -pool splunk-2]
    set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]:[TCP::server_port]
    set status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

    if { [HTTP::header Content-Length] > 0 } then {
        set response_length [HTTP::header "Content-Length"]
    } else {
        set response_length 0
    }

    HSL::send $hsl "<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\r\n"
}

MarioM
Motivator

which version of F5 Big-ip you use ?

Because in 11.x the Request logging parameters to get those values is RESPONSE_MSECS (The elapsed time in milliseconds (ms) between receiving the request and sending the response. )

Request Logging Profile

View solution in original post

MarioM
Motivator
0 Karma

EricPartington
Communicator

we're running 10.2.1 right now

I have forwarded the link to the group that has access to see if they can get a response through that.

If there are any other hints for the irule code that would be appreciated.

thanks for the response

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!