topic Re: How to extract days ,hours minutes and secs?? in Splunk Search

How to extract days ,hours minutes and secs??

chitreshakumar — Fri, 29 Dec 2017 06:32:46 GMT

I have got the duration in this format 11+09:45:25.591549.I want to convert it to 11 days 9 hours 45 mins 25 secs.

Re: How to extract days ,hours minutes and secs??

493669 — Fri, 29 Dec 2017 07:12:51 GMT

rex field=<duration_field_name> "(?<DAYS>\d+).(?<Hours>\d+).(?<Mins>\d+).(?<Secs>\d+)"|table DAYS, Hours, Mins, Secs

replace <duration_field_name> with your duration field name

Re: How to extract days ,hours minutes and secs??

DalJeanis — Fri, 29 Dec 2017 07:20:57 GMT

Here's one way...

| makeresults 
| eval myfield1="11+09:45:25.591549" 
| eval myfield2=myfield1 
| rex mode=sed field=myfield2 "s/(\d+)\+(\d+):(\d+):(\d+).(\d+)/\1 days \2 hours \3 mins \4 secs/g"
| table myfield1 myfield2

Above method assumes you will always have all pieces. If you will occasionally have durations that are shorter than a day and have zero days, zero hours or whatever, then you need to define what you want to receive.

Re: How to extract days ,hours minutes and secs??

chitreshakumar — Fri, 29 Dec 2017 07:27:51 GMT

Hi DalJeanis ,

There are some field values like this 00:00:10.000000 which I want to convert it to days , hours ,minutes and secs
Any way we can add " "00+" 00:00:10.000000"

Re: How to extract days ,hours minutes and secs??

DalJeanis — Sat, 30 Dec 2017 20:47:09 GMT

That should be something like this

 | makeresults 
 | eval myfield1="11+09:45:25.591549 00:00:10.000000"
 | makemv myfield1
 | mvexpand myfield1 
 | eval myfield2=myfield1 
 | rex mode=sed field=myfield2 "s/((\d+)\+)?(\d+):(\d+):(\d+).(\d+)/\2 days \3 hours \4 mins \5 secs/g s/^ /0 /g s/00/0/g"
 | table myfield1 myfield2