topic Re: Trying to dur2sec a HH field that is more than 24H in Splunk Search

Trying to dur2sec a HH field that is more than 24H

wweiland — Wed, 09 Oct 2013 19:36:40 GMT

I'm trying to dur2sec a hour field that is more than 24H and therefore doesn't work. Anyone have any suggestions on how I can get the seconds out of this type of HH:MM:SS?

Below is a sample output showing that below 24H works fine, everything above fails.

walltime wall
24:00:03

23:59:46 86386

Re: Trying to dur2sec a HH field that is more than 24H

kristian_kolb — Wed, 09 Oct 2013 20:25:50 GMT

You can do it manually;

blah blah | rex field=your_time_field "(?<HH>\d+):(?<MM>\d+):(?<SS>\d+)" | eval dur = (HH * 3600) + (MM * 60) + SS | table your_time_field dur

Re: Trying to dur2sec a HH field that is more than 24H

sowings — Wed, 09 Oct 2013 20:32:02 GMT

I think dur2sec might be aimed at something like a sendmail (x)delay field, where values over 24 hours are converted to days+HH:MM:SS. I'd go with @kristian.kolb 's solution shown below.

Re: Trying to dur2sec a HH field that is more than 24H

wweiland — Wed, 09 Oct 2013 20:42:56 GMT

Thank you for your help!

Re: Trying to dur2sec a HH field that is more than 24H

wrighke — Thu, 01 Aug 2019 02:23:57 GMT

Just want to add, if your timestamp included milliseconds, you can use:

| rex field=diff "(?\d+):(?\d+):(?\d+).(?\d+)"
| eval dur = (HH * 3600) + (MM * 60) + SS + (MS / 1000000)

my timestamp had 6 decimal places for ms, so I divide ms by 1,000,000