Please find the below XML file:
For this file I need a query to retrieve the values for
Start time for the request i.e. where the cmd start is mentioned.
quit time for the request i.e. where the cmd quit is mentioned.
difference between the start and quit time for request.
Let me know if you need any more information.
As a first step, make sure your XML is indexed as one entry tag per event with the log_time value used as Splunk timestamp.
Once you've done that, using the
spath command will create fields like
entry.cliconnaddr, and so on - you can use those as you normally would use fields.
You could for example append this:
... | timechart avg(diff)
That'll produce a chart with the average diff value over time... no idea whether that's what you are looking for or not, there are endless numbers of different statistics you could want.
For displaying the time I recommend not using
strftime(). That expects an epoch timestamp, ie seconds since January 1st, 1970 UTC. I assume you're on UTC-4 (EDT?), which shows an epoch value of 6 as four hours before midnight (plus 6 seconds) and drops the December 31st, 1969 due to the
Instead, use Splunk's duration converter:
... | eval end_time = strptime(...) | eval start_time = strptime(...) | eval diff = ... | eval move_time = tostring(diff, "duration")
eval end_time=strptime(move_end,"%Y-%m-%d %H:%M:%S.%3Q") | eval start_time=strptime(move_file_start,"%Y-%m-%d %H:%M:%S.%3Q") | eval diff=end_time-start_time | eval move_time=strftime(diff, "%H:%M:%S.%3Q").. Please see this query and correct me
Ok, i wrote a query to calculate the difference between start and end time. In my XML file the start time is 19:42:48:305 and end time is 19:42:42:080, so the actual difference between them should be 00:00:06:225, but it is showing me as 20:00:06:225, why is it happening so?