RSA Admin

miliseconds and calculating duration

Discussion created by RSA Admin Employee on Mar 17, 2010

I have a question about the best way to account for miliseconds when writing UDS, and how to perform a duration calculation against them, and was hoping to get some opinions form the community on what you might try, or if you've found a good way to deal with this.

Here's the use case.  We've written a custom program that scans emails at our mail gateway looking for custom things that commercial security vendors don't/can't/won't pick up.  We're basically writing our own custom AV checks.  Every time a mail comes through, it scans it against our custom checks, and logs several different types of events, one of which I've shown here, it's the perflog. For performance reasons, we're interested in montioring how long it takes in miliseconds or seconds to perform the custom scans on the email as they pass through the gateway, so we write a very simple perflog event structured like the following example.

<event_time>             <process name>  <level>   <PID>   <msg_ID> <starttime>               <endtime>

 

2010-03-11 00:02:14,017 - CustomScanner - INFO - [139894] [perflog] 2010-03-11 00:02:13.833368 2010-03-11 00:02:14.017667
2010-03-11 00:08:21,192 - CustomScanner - INFO - [139901] [perflog] 2010-03-11 00:08:20.687887 2010-03-11 00:08:21.192538
2010-03-11 00:09:30,615 - CustomScanner - INFO - [139903] [perflog] 2010-03-11 00:09:28.653833 2010-03-11 00:09:30.615694

pretty basic.  When did we start scanning the message, and when did we stop.  Oh, and as a side note, the PID assoicates this perflog to the specific email, but those logs are omitted here.

Anyway, you'll notice that the timestamp of when the scan completes almost always matches the log timestamp, because the application writes it out to log immediately after completeting the scan.

So here's my goal...  I want to be able (using the 'Network' table 74) parse starttime and endtime into their respective fields, and then perform a duration calculation function against the difference between those two, and shove that duration value into the duration field.  The problem I'm experiencing is that everything after the decimal place gets ignored, and that's really what I need to calculate against. I believe this is because the DURSTR function only references hh:mm:ss and can't handle miliseconds (hh:mm:ss.ssssss) .

I've considered creating a custom time stamp declaration with devts, but it's my understanding that you have to have the custom timestamp payload delcared in your header section, and as you can see, my two timestamps are clear at the end of the perflog lines, leaving nothing for the message section.

Does anyone have a suggestion, or have you attempted this?

Does anyone else have a need right now for this or see a potential use case for this down the road?

 

Thanks in advance,

ryan

Outcomes