topic Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec" in Splunk Search

How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

HeinzWaescher — Wed, 18 May 2016 08:15:37 GMT

Hi,

I would like to extract the duration in seconds from values like these:
"2 dy 13 hr 49 min 13 sec"
"1 hr 49 min 41 sec"
"12 min 56 sec"

For constant values (e.g. with only min & sec) I would use:
"12 min 56 sec" -> | rex field="FieldA" "(?.*)\ (?.*)\ (?.*) (?.*)"

But as you can see, the format can be different. Is possible to convert these fields into a duration in seconds?

My idea would be to extract fields for each part of the value, for example:

"2 dy 13 hr 49 min 13 sec" into:

dy=2
hr=13
min=49
sec=13

But I don't know how to achieve this. Can you help me?

Thanks in advance
Heinz

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

jmallorquin — Wed, 18 May 2016 08:30:01 GMT

Hi HeinzWasecher,

Have you try to use separate extractions like:

props.conf
EXTRACT-dias = \s(?<days>[^\s]+)\sdy
EXTRACT-horas = \s(?<hours>[^\s]+)\shr
...

And in the search make a fillnull of all the fields and make an eval with the calculation

|fillnull days hours .... value=0
| eval Totalsec = days*86400 + hours*3600 ....

Hope i help you

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

HeinzWaescher — Wed, 18 May 2016 08:32:41 GMT

Thanks for your answer. I'm using a csv with inputlookup here, so I think I have to do it at search time?

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

jmallorquin — Wed, 18 May 2016 09:03:10 GMT

Hi,

Yes. I that case it will be
| rex "\s(?[^\s]+)\sdy" |rex "\s(?[^\s]+)\shr" ....

Hope i help you

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

HeinzWaescher — Wed, 18 May 2016 09:09:37 GMT

This results in an error:

Error in 'rex' command: Encountered the following error while compiling the regex '\s(?[^\s]+)\sdy': Regex: unrecognized character after (? or (?-

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

sundareshr — Wed, 18 May 2016 17:29:28 GMT

Try this

.... | eval duration= replace(duration,"(\d*)+?(\d+):(\d+):(\d+)","\1dy \2hr \3min \4sec")

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

HeinzWaescher — Thu, 19 May 2016 05:47:36 GMT

Thanks for your suggestion. I'm not sure what is intended by this command, adding it just copies the field.

duration="14 hr 22 min 44 sec" -> new duration="14 hr 22 min 44 sec"

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

sundareshr — Thu, 19 May 2016 12:10:09 GMT

LOL. I clearly misunderstood your question. Here, I think I know now, what you are looking for. Try this runanywhere sample

| gentimes start=-1 | eval duration="49 min 13 sec" | rex field=duration "((?<dy>\d+)\sdy\s)?((?<hr>\d+)\shr\s)?((?<min>\d+)\smin\s)?((?<sec>\d+)\ssec)?" | eval dy=coalesce(dy, 0) | eval hr=coalesce(hr, 0) | eval min=coalesce(min, 0) | eval sec=coalesce(sec, 0) | eval duration=(dy*(3600*24)) + (hr*(3600)) + (min*60) + sec | eval dur=tostring(duration, "duration") | table dy hr min sec duration dur

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

HeinzWaescher — Thu, 19 May 2016 13:02:54 GMT

Awesome, this works fine 🙂
Thanks a lot

Re: How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

jmallorquin — Thu, 19 May 2016 13:03:06 GMT

Hi,

Sorry I didn't quote and the command was malformed

The correct is :

| rex "\s(?<days>[^\s]+)\sdy" |rex "\s(?<hours>[^\s]+)\shr" ....<-- continue with the rest of the fields
|fillnull days hours .... value=0
| eval Totalsec = days*86400 + hours*3600 ....