- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Convert string format to time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert string format to time
One log line from LDAP log file
= ==================================
Sep 19 10:08:10 simxxx11 slapd_simxxx11[4274]: conn=3012 fd=52 ACCEPT from IP=10.100.10.102:53530 (IP=0.0.0.0:636)
I can capture the STARTTIME of the LDAP connection with a regular expression, but this gives me back a string. When I capture the STARTTIME using rex "(?P<STARTTIME>\w+\s+\d+\s+\d+:\d+:\d+).+conn=\d+ fd=\d+ ACCEPT.+" then I have the value Sep 19 10:08:12 in variable STARTTIME. I want to convert it to a time format.
I have tried
strptime(STARTTIME,"%Y-%m-%dT%H:%M:%S")
But this does not work.
Another log line from LDAP log file
===================================
Sep 19 10:08:12 simxxx11 slapd_simxxx[4274]: conn=3012 fd=52 closed
"(?P<ENDTIME>\w+\s+\d+\s+\d+:\d+:\d+).+ conn=\d+ fd=\d+ closed"
I need to find the difference between the STARTTIME and ENDTIME.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the timestamps you want to use for your calculations are in fact the timestamps that have been used when indexing the events, that information is available in the _time field as an epoch value (which are great for mathematical operations).
There are several ways in which you can achieve this;
With a transaction, assuming that conn is a unique id for this connection (or at least unique within an hour or so). transaction automatically creates a new field called duration
your_base_search | transaction conn maxevents=2 maxspan=1m startswith="ACCEPT" endswith="closed" | table conn duration
With stats. Assumptions as before.
your_base_search | stats min(_time) AS StartTime max(_time) AS EndTime by conn | eval dur = tostring((EndTime - StartTime), "duration")
You could also look at the convert command instead of the eval/tostring.
Some interesting reading:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but I don't know the structure of your transactions. LDAP is not my strongest side. Is it something like;
conn_1_start
op_1_start
op_1_end
op_2_start
op_2_end
conn_1_end
Or is it more like;
conn_1_start
op_1_timestamp
op_2_timestamp
op_3_timestamp
conn_1_end
You should probably post a few more sample events, highlighting which timstamps you need to compute durations for.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Kristian. Actually for a transaction based on conn, I can calculate the duration. But I want to calculate the individual BIND delays and SEARCH delays inside the transaction.Each operation inside a transaction has a unique op value. How can I use it to get to the individual delays.
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
