Splunk Search

F5 Networks iRule req_elapsed_time=0

EricPartington
Communicator

trying to implement the irule supplied by F5, we can get the irule to log to splunk.

We are having and issue with the req_elapsed_time field as it is always returning 0

Anyone else using that value and getting something other than 0 for a value?

We are trying to use the iRule to determine the response time for surfing via a particular pool and this value appears to be the one we need.

Tags (2)
0 Karma
1 Solution

MarioM
Motivator

which version of F5 Big-ip you use ?

Because in 11.x the Request logging parameters to get those values is RESPONSE_MSECS (The elapsed time in milliseconds (ms) between receiving the request and sending the response. )

Request Logging Profile

View solution in original post

rblair978
Explorer

I have looked into the iRule code a bit further. I reproduced this issue in my lab environment.

I made some immediate changes to the supplied iRule to correct this.
I will continue to evaluate this and provide fixes to Splunk for posting in the near future.

In the mean time here is the latest iRule. For now i copied the calculation for the req_elapsed_time to be within the context of HTTP_RESPONSE

when CLIENT_ACCEPTED {
    set client [IP::client_addr]
}

when HTTP_REQUEST {
    set vhost [HTTP::host]:[TCP::local_port]
    set url [HTTP::uri]
    set method [HTTP::method]
    set http_version [HTTP::version]
    set user_agent [HTTP::header "User-Agent"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set req_elapsed_time 0
    set virtual_server [LB::server]

    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
        if {$req_length > 4000000} then {
            set $req_length 4000000
        }
        HTTP::collect $req_length
    } else {
        set req_length 0
    }

    if { [HTTP::header "Referer"] ne "" } then {
        set referer [HTTP::header "Referer"]
    } else {
        set referer -
    }
}

when HTTP_REQUEST_DATA {
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    HTTP::release
}

when HTTP_RESPONSE {
    set hsl [HSL::open -proto TCP -pool splunk-2]
    set resp_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]:[TCP::server_port]
    set status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

    if { [HTTP::header Content-Length] > 0 } then {
        set response_length [HTTP::header "Content-Length"]
    } else {
        set response_length 0
    }

    HSL::send $hsl "<190>|$vhost|device_product=Splunk Web Access iRule|$client|$method|\"$url\"|HTTP/$http_version|$user_agent|\"$referer\"|$req_start_time|$req_length|$req_elapsed_time|$node|$status|$resp_start_time|$response_length|$virtual_server\r\n"
}

MarioM
Motivator

which version of F5 Big-ip you use ?

Because in 11.x the Request logging parameters to get those values is RESPONSE_MSECS (The elapsed time in milliseconds (ms) between receiving the request and sending the response. )

Request Logging Profile

MarioM
Motivator
0 Karma

EricPartington
Communicator

we're running 10.2.1 right now

I have forwarded the link to the group that has access to see if they can get a response through that.

If there are any other hints for the irule code that would be appreciated.

thanks for the response

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...