Hi Splunkers,
I want to know the index time lag in subsecond order by following command.
index=main | eval index_lag = _indextime - _time | convert timeformat="%H:%M:%S.%3N" ctime(index_lag)
But the values of "index_lag" are below.
00:00:00.000
00:00:01.000
These results may be wrong in subseconds.
How to get correct figures ?
Thank you.
Running your query for my _internal
index does give me subseconds.
There's a much greater problem though. Your convert call treats the time difference in index_lag
as a unix time epoch timestamp. As a result, a value of 86400 is treated exactly the same as a value of 0 because you're cutting off the day that would roll over. Similarly, negative values would be ignored.
It'd be better to use the duration
conversion Splunk offers:
index=main | eval index_lag = _indextime - _time | eval converted_index_lag = tostring(index_lag, "duration")
That will still provide a wonky handling of negative values, but at least you won't see lags over a day being wrapped to within one day.
Both options should show milliseconds though.
Running your query for my _internal
index does give me subseconds.
There's a much greater problem though. Your convert call treats the time difference in index_lag
as a unix time epoch timestamp. As a result, a value of 86400 is treated exactly the same as a value of 0 because you're cutting off the day that would roll over. Similarly, negative values would be ignored.
It'd be better to use the duration
conversion Splunk offers:
index=main | eval index_lag = _indextime - _time | eval converted_index_lag = tostring(index_lag, "duration")
That will still provide a wonky handling of negative values, but at least you won't see lags over a day being wrapped to within one day.
Both options should show milliseconds though.
Thank you, martin_mueller.