Solved: How to start time calculation for each transaction...

xp001975 · ‎02-27-2023

Hi ,

I have a splunk log where we have End time and time to Serve Requst (in Millisec).
i want calculate Start time by subtracting End time - time to Serve Requst (in Millisec) . Can you please help me with the query which will help me to achieve this requirement.

Example:

End time -2023-02-27 10:46:13.559
time to server Request - 1131 (milliSec)

bowesmana · ‎02-28-2023

Epoch times are in seconds, so if you want to display those as localised text based dates, you need to convert them. The _time field is different in that it IS epoch, but it is always shown in a text form.

To convert the start time to a text form use strftime

| eval starttime=strftime(_time-(time_to_serve_request/1000), "%F %T.%Q")

View solution in original post

xp001975 · ‎02-27-2023

I am trying | eval EndTime = strptime(_time, "%Y-%m-%d %H:%M:%S.%3N%Z") | eval timetoserveRequst = strptime(time_to_serve_request, ".%3N%Z") | eval startTIme = EndTime - timetoserveRequst
| table startTIme EndTime

But Nothing is getting displayed

bowesmana · ‎02-27-2023

Assuming those are your field names, here is an example

| makeresults
| eval "End time"="2023-02-27 10:46:13.559"
| eval "time to server Request" = 1131
| eval end_time=strptime('End time', "%F %T.%Q")
| eval start_time=end_time-('time to server Request'/1000)
| eval StartTime=strftime(start_time, "%F %T.%Q")

so just parse the time with strptime() and then subtract milliseconds /1000 from the end time to get start time

xp001975 · ‎02-27-2023

i tried but nothing is coming in the output

bowesmana · ‎02-27-2023

_time is already in epoch, so if your 'end time' is actually the _time field, just subtract the millseconds / 1000

xp001975 · ‎02-27-2023

Still no luck

bowesmana · ‎02-27-2023

Please add the time_to_serve_request in the table.

Generally if a field is blank it means that its dependencies are not what you expect them to be

richgalloway · ‎02-27-2023

Is that one event or two? If two, then what field(s) connect them to a transaction?

---
If this reply helps you, Karma would be appreciated.

xp001975 · ‎02-28-2023

Do you have any query to help ?

xp001975 · ‎02-27-2023

This is one event .

want to calculate the start time by deducting time to serve request (millisec) from _time .

ITWhisperer · ‎02-28-2023

| eval starttime=_time-(time_to_serve_request/1000)

xp001975 · ‎02-28-2023

Do you have any help here ?

bowesmana · ‎02-28-2023

If you have a field called time_to_serve_request in your data and it has a numeric value, then the eval statement should work.

Please add time_to_serve_request in your table statement and post here the screenshot.

xp001975 · ‎02-28-2023

Start time is not coming in YYYY-MM-DD HH:MM:SS.millisec format

bowesmana · ‎02-28-2023

Epoch times are in seconds, so if you want to display those as localised text based dates, you need to convert them. The _time field is different in that it IS epoch, but it is always shown in a text form.

To convert the start time to a text form use strftime

| eval starttime=strftime(_time-(time_to_serve_request/1000), "%F %T.%Q")

How to start time calculation for each transaction?

transaction

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms