Splunk Search

time format and evaluation for charting

tyronetv
Communicator

I have a log entry that looks like:

2012-11-07 06:55:42,963 INFO [dler-HTTPThreadGroup-1242] RID=1352300142367-150943 c.r.c.u.w.f.ElapsedTimeCommonsLoggingFilter - Elapsed Time: 0:00:00.596 (596) /t2services_dis/RpsImageArchiveService#GetURLRequest

From that I pull Elapsed Time: 0:00:00.596 and slice out 0:00:00.596. This is the application duration (app_dur) for that java service/method call.

As this is a string I need to change it to something Splunk can work with. I can do that with either convert:
convert timeformat="%H:%M:%S.%Q" mktime(app_dur) as processtime
or eval:
eval processtime = strptime(app_dur, "%H:%M:%S.%Q")

In either case, I get a number that looks like, say, 1352268077.5060000 (with convert it is limited to three decimal places). This NOT human readable. 😞

What I want to do is create a timechart of execution time in a format that the user can understand and so far I can not accomplish this feat.

Just a simple chart with time across the bottom and the max/min/median/perc95, or whatever, values for application duration on a per process basis.

Tags (2)
0 Karma
1 Solution

axinjakson
Explorer

Have you tried converting to seconds instead? As long as you dont have any really long durations I think this would work and be easiest for users to read.

"Convert mstime" would work out of the box, but the %H in your duration throws a wrench in the built in command... You could strip the hours, as long you never need them.

eval processtime=substr(app_dur,3,11) | convert mstime(processtime)

Should result in: 0.596000

View solution in original post

0 Karma

axinjakson
Explorer

Have you tried converting to seconds instead? As long as you dont have any really long durations I think this would work and be easiest for users to read.

"Convert mstime" would work out of the box, but the %H in your duration throws a wrench in the built in command... You could strip the hours, as long you never need them.

eval processtime=substr(app_dur,3,11) | convert mstime(processtime)

Should result in: 0.596000

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...