I have a log entry that looks like:
2012-11-07 06:55:42,963 INFO [dler-HTTPThreadGroup-1242] RID=1352300142367-150943 c.r.c.u.w.f.ElapsedTimeCommonsLoggingFilter - Elapsed Time: 0:00:00.596 (596) /t2services_dis/RpsImageArchiveService#GetURLRequest
From that I pull Elapsed Time: 0:00:00.596 and slice out 0:00:00.596. This is the application duration (app_dur) for that java service/method call.
As this is a string I need to change it to something Splunk can work with. I can do that with either convert:
convert timeformat="%H:%M:%S.%Q" mktime(app_dur) as processtime
or eval:
eval processtime = strptime(app_dur, "%H:%M:%S.%Q")
In either case, I get a number that looks like, say, 1352268077.5060000 (with convert it is limited to three decimal places). This NOT human readable. 😞
What I want to do is create a timechart of execution time in a format that the user can understand and so far I can not accomplish this feat.
Just a simple chart with time across the bottom and the max/min/median/perc95, or whatever, values for application duration on a per process basis.
Have you tried converting to seconds instead? As long as you dont have any really long durations I think this would work and be easiest for users to read.
"Convert mstime" would work out of the box, but the %H in your duration throws a wrench in the built in command... You could strip the hours, as long you never need them.
eval processtime=substr(app_dur,3,11) | convert mstime(processtime)
Should result in: 0.596000
Have you tried converting to seconds instead? As long as you dont have any really long durations I think this would work and be easiest for users to read.
"Convert mstime" would work out of the box, but the %H in your duration throws a wrench in the built in command... You could strip the hours, as long you never need them.
eval processtime=substr(app_dur,3,11) | convert mstime(processtime)
Should result in: 0.596000