https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/625823#M217526 <P>Hai All,</P> <P>from the below search&nbsp; how to convert secs to HH:MM format&nbsp;</P> <P>age fields is getting time in secs</P> <P>&nbsp;</P> <P>index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d<BR />| eval Host=coalesce(hostname, sourceHost)<BR />| eval age = (now() - _time )<BR />| stats min(age) as age, max(_time) as LastTime by Host<BR />| convert ctime(LastTime) as "Last Active On"<BR />| eval Status= case(age &lt; 1800,"Running",age &gt; 1800,"DOWN") | rename age as Age<BR />| sort Status | table Host, Status, Age,"Last Active On"</P> Wed, 04 Jan 2023 16:19:30 GMT sekhar463 2023-01-04T16:19:30Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/625823#M217526 <P>Hai All,</P> <P>from the below search&nbsp; how to convert secs to HH:MM format&nbsp;</P> <P>age fields is getting time in secs</P> <P>&nbsp;</P> <P>index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d<BR />| eval Host=coalesce(hostname, sourceHost)<BR />| eval age = (now() - _time )<BR />| stats min(age) as age, max(_time) as LastTime by Host<BR />| convert ctime(LastTime) as "Last Active On"<BR />| eval Status= case(age &lt; 1800,"Running",age &gt; 1800,"DOWN") | rename age as Age<BR />| sort Status | table Host, Status, Age,"Last Active On"</P> Wed, 04 Jan 2023 16:19:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/625823#M217526 sekhar463 2023-01-04T16:19:30Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/625827#M217529 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>you can use eval tostring:</P><LI-CODE lang="markup">index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d | eval Host=coalesce(hostname, sourceHost) | eval age=(now()-_time) | stats min(age) AS age max(_time) AS LastTime BY Host | convert ctime(LastTime) AS "Last Active On" | eval Status=if(age&lt; 1800,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | sort Status | table Host Status Age "Last Active On"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 04 Jan 2023 14:53:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/625827#M217529 gcusello 2023-01-04T14:53:16Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/626169#M217640 <P>Hi Thanks,</P><P>this query i am using for to get UF status&nbsp;</P><P>but query taking long time if i am trying to filter status =DOWN&nbsp;</P><P>how we can modify this search fasten this query or how we can take time frame to get results</P> Fri, 06 Jan 2023 13:11:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/626169#M217640 sekhar463 2023-01-06T13:11:55Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/626292#M217680 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>if your search is slow there could be two issues:</P><UL><LI>very many data,</LI><LI>you're using a slow storage.</LI></UL><P>for the first issue, you can accelerate your search in many ways, e.g. using a summary index.</P><P>For the second issue, remember that storage is the bottleneck of each Splunk system, and Splunk requires at least 800 (better 1200) IOPS for Hot and Warm Buckets, so the only solution is to use a faster storage.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 07 Jan 2023 10:13:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-time-secs-into-HH-MM-format/m-p/626292#M217680 gcusello 2023-01-07T10:13:36Z