Splunk Search
Highlighted

help in calcuating the difference between two time stamps?

Builder

Hello Experts,

I have the below two fields
EMLREQUESTTIME: 2016-01-19 15:44:00.749 +00:00
EMLRESPONSETIME: 2016-01-19 15:44:02.366 +00:00

I want to find out the averageresponsetime i.e.

averageresponsetime =EMLRESPONSETIME - EMLREQUESTTIME

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Explorer

convert those those 2 times into epoch time and use eval command to find the difference.

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Builder

that is what I am findi8ng difficulty in,can you please help me in that

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Motivator

Hi vrmandadi,

Try like this,

| eval average_response_time = strptime(EML_REQUEST_TIME, "%Y-%m-%d %H:%M:%S.%3N") - strptime(EML_RESPONSE_TIME, "%Y-%m-%d%H:%M:%S.%3N")

Hope it helps.

Edit: This might work, as you did not mention those brackets on your sample data.

| rename "ENDPOINT_LOG.EML_REQUEST_TIME" as EML_REQUEST_TIME | rename "ENDPOINT_LOG.EML_RESPONSE_TIME" as EML_RESPONSE_TIME | eval average_response_time = strptime(EML_REQUEST_TIME, "%Y-%m-%d %H:%M:%S.%3N") - strptime(EML_RESPONSE_TIME, "%Y-%m-%d%H:%M:%S.%3N")
0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Builder

Hello alemarzu ,I tried using your query but it did not work ,i dont see any new field name averageresponsetime is created nor I see any results

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Motivator

Thats weird, can you show me your query ?

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Builder

| eval averageresponsetime = strptime("ENDPOINTLOG{}.EMLRESPONSETIME", "%Y-%m-%d %H:%M:%S.%3N") - strptime("ENDPOINTLOG{}.EMLREQUESTTIME", "%Y-%m-%d%H:%M:%S.%3N")

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Motivator

I can see whats happening.

Try with this,

| rename "ENDPOINT_LOG.EML_REQUEST_TIME" as EML_REQUEST_TIME | rename "ENDPOINT_LOG.EML_RESPONSE_TIME" as EML_RESPONSE_TIME | eval average_response_time = strptime(EML_REQUEST_TIME, "%Y-%m-%d %H:%M:%S.%3N") - strptime(EML_RESPONSE_TIME, "%Y-%m-%d%H:%M:%S.%3N")
0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Builder

alemarzu ,

I have events in which each event has ENDPOINTLOG.EMLREQUESTTIME and ENDPOINTLOG.EMLRESPONSETIME and i am trying to find out the average_time by

ENDPOINTLOG.EMLRESPONSETIME - ENDPOINTLOG.EMLREQUESTTIME=average_time

for all the events

0 Karma
Highlighted

Re: help in calcuating the difference between two time stamps?

Motivator

Did you try with my last answer ?

0 Karma