Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get index time in subseconds ?

sunrise
Contributor
‎12-24-2013 10:58 PM

Hi Splunkers,

I want to know the index time lag in subsecond order by following command.

index=main | eval index_lag = _indextime - _time | convert  timeformat="%H:%M:%S.%3N" ctime(index_lag)

But the values of "index_lag" are below.

00:00:00.000
00:00:01.000

These results may be wrong in subseconds.
How to get correct figures ?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-25-2013 02:34 PM

Running your query for my _internal index does give me subseconds.

There's a much greater problem though. Your convert call treats the time difference in index_lag as a unix time epoch timestamp. As a result, a value of 86400 is treated exactly the same as a value of 0 because you're cutting off the day that would roll over. Similarly, negative values would be ignored.
It'd be better to use the duration conversion Splunk offers:

index=main | eval index_lag = _indextime - _time | eval converted_index_lag = tostring(index_lag, "duration")

That will still provide a wonky handling of negative values, but at least you won't see lags over a day being wrapped to within one day.

Both options should show milliseconds though.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-25-2013 02:34 PM

Running your query for my _internal index does give me subseconds.

There's a much greater problem though. Your convert call treats the time difference in index_lag as a unix time epoch timestamp. As a result, a value of 86400 is treated exactly the same as a value of 0 because you're cutting off the day that would roll over. Similarly, negative values would be ignored.
It'd be better to use the duration conversion Splunk offers:

index=main | eval index_lag = _indextime - _time | eval converted_index_lag = tostring(index_lag, "duration")

That will still provide a wonky handling of negative values, but at least you won't see lags over a day being wrapped to within one day.

Both options should show milliseconds though.

0 Karma
Reply
Solved! Jump to solution

sunrise
Contributor
‎12-25-2013 07:20 PM

Thank you, martin_mueller.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...