Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: F5 Networks iRule req_elapsed_time=0
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trying to implement the irule supplied by F5, we can get the irule to log to splunk.
We are having and issue with the req_elapsed_time field as it is always returning 0
Anyone else using that value and getting something other than 0 for a value?
We are trying to use the iRule to determine the response time for surfing via a particular pool and this value appears to be the one we need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which version of F5 Big-ip you use ?
Because in 11.x the Request logging parameters to get those values is RESPONSE_MSECS (The elapsed time in milliseconds (ms) between receiving the request and sending the response. )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have looked into the iRule code a bit further. I reproduced this issue in my lab environment.
I made some immediate changes to the supplied iRule to correct this.
I will continue to evaluate this and provide fixes to Splunk for posting in the near future.
In the mean time here is the latest iRule. For now i copied the calculation for the req_elapsed_time to be within the context of HTTP_RESPONSE
when CLIENT_ACCEPTED {
set client [IP::client_addr]
}
when HTTP_REQUEST {
set vhost [HTTP::host]:[TCP::local_port]
set url [HTTP::uri]
set method [HTTP::method]
set http_version [HTTP::version]
set user_agent [HTTP::header "User-Agent"]
set tcp_start_time [clock clicks -milliseconds]
set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set req_elapsed_time 0
set virtual_server [LB::server]
if { [HTTP::header Content-Length] > 0 } then {
set req_length [HTTP::header "Content-Length"]
if {$req_length > 4000000} then {
set $req_length 4000000
}
HTTP::collect $req_length
} else {
set req_length 0
}
if { [HTTP::header "Referer"] ne "" } then {
set referer [HTTP::header "Referer"]
} else {
set referer -
}
}
when HTTP_REQUEST_DATA {
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
HTTP::release
}
when HTTP_RESPONSE {
set hsl [HSL::open -proto TCP -pool splunk-2]
set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
set node [IP::server_addr]:[TCP::server_port]
set status [HTTP::status]
set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
if { [HTTP::header Content-Length] > 0 } then {
set response_length [HTTP::header "Content-Length"]
} else {
set response_length 0
}
HSL::send $hsl "<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\r\n"
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which version of F5 Big-ip you use ?
Because in 11.x the Request logging parameters to get those values is RESPONSE_MSECS (The elapsed time in milliseconds (ms) between receiving the request and sending the response. )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is good article on devcentral:
https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084350/BIG-...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we're running 10.2.1 right now
I have forwarded the link to the group that has access to see if they can get a response through that.
If there are any other hints for the irule code that would be appreciated.
thanks for the response
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
