Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

time format and evaluation for charting

tyronetv
Communicator
‎11-07-2012 08:50 AM

I have a log entry that looks like:

2012-11-07 06:55:42,963 INFO [dler-HTTPThreadGroup-1242] RID=1352300142367-150943 c.r.c.u.w.f.ElapsedTimeCommonsLoggingFilter - Elapsed Time: 0:00:00.596 (596) /t2services_dis/RpsImageArchiveService#GetURLRequest

From that I pull Elapsed Time: 0:00:00.596 and slice out 0:00:00.596. This is the application duration (app_dur) for that java service/method call.

As this is a string I need to change it to something Splunk can work with. I can do that with either convert:
convert timeformat="%H:%M:%S.%Q" mktime(app_dur) as processtime
or eval:
eval processtime = strptime(app_dur, "%H:%M:%S.%Q")

In either case, I get a number that looks like, say, 1352268077.5060000 (with convert it is limited to three decimal places). This NOT human readable. 😞

What I want to do is create a timechart of execution time in a format that the user can understand and so far I can not accomplish this feat.

Just a simple chart with time across the bottom and the max/min/median/perc95, or whatever, values for application duration on a per process basis.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

axinjakson
Explorer
‎11-07-2012 11:08 AM

Have you tried converting to seconds instead? As long as you dont have any really long durations I think this would work and be easiest for users to read.

"Convert mstime" would work out of the box, but the %H in your duration throws a wrench in the built in command... You could strip the hours, as long you never need them.

eval processtime=substr(app_dur,3,11) | convert mstime(processtime)

Should result in: 0.596000

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

axinjakson
Explorer
‎11-07-2012 11:08 AM

Have you tried converting to seconds instead? As long as you dont have any really long durations I think this would work and be easiest for users to read.

"Convert mstime" would work out of the box, but the %H in your duration throws a wrench in the built in command... You could strip the hours, as long you never need them.

eval processtime=substr(app_dur,3,11) | convert mstime(processtime)

Should result in: 0.596000

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...