topic Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)? in Splunk Search

How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

chadman — Thu, 11 Aug 2016 15:09:41 GMT

I have a search that creates a time in HH:MM and looks like 04:34.000. How can I drop the .000 at the end of this? Here is the part of my search that gets the time.

| addinfo | eval duration=info_max_time-info_min_time | eval dur_formatted=tostring(duration, "duration") | eval HH:MM:SS=tostring('duration', "duration") | convert rmunit("duration") as numSecs  | eval "duration" = round('duration',0) | eval stringSecs2=tostring(numSecs,"duration") | eval "Total Time in HH:MM" = replace(stringSecs2,"(\d+)\:(\d+)\:(\d+)","\1:\2")

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

sundareshr — Thu, 11 Aug 2016 15:13:23 GMT

Try this

| addinfo | eval duration=info_max_time-info_min_time | eval dur_formatted=tostring(round(duration, 0), "duration") | table duration dur_formatted

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

skoelpin — Thu, 11 Aug 2016 15:15:28 GMT

You could use rtrim to cut the last 3 digits

... | eval stringSecs2 = rtrim(stringSecs2,substr(stringSecs2,-3))

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

chadman — Thu, 11 Aug 2016 15:22:03 GMT

That worked! thanks.

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

chadman — Thu, 11 Aug 2016 15:22:49 GMT

I could not get that to work. Were you say to replace what I had with that?

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

sundareshr — Thu, 11 Aug 2016 15:24:50 GMT

Replace you search with what I had

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

JDukeSplunk — Thu, 11 Aug 2016 15:26:16 GMT

Would this work?

| eval "Total Time in HH:MM"=strptime("Total Time in HH:MM", "%H:%M")

"strptime(X,Y) This function takes a time represented by a string, X, and parses it into a timestamp using the format specified by Y. For a list and descriptions of format options, refer to the topic "Common time format variables". If timeStr is in the form, "11:59", this returns it as a timestamp:"

Re: How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

chadman — Thu, 11 Aug 2016 15:27:16 GMT

when I did that I get "no results found"