topic Re: When using the transaction command, how do I format the duration into H:M:S? in Splunk Search

When using the transaction command, how do I format the duration into H:M:S?

clarksinthehill — Thu, 04 Feb 2016 21:03:59 GMT

I'm sure this may have been asked before. When using transaction, I would like to format the duration into H:M:S, my search results for jobduration looks like 19 is being added to the result. Any help is appreciated.

Search is:

sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" | transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" | eval Date=strftime(_time, "%m-%d-%y") | eval JobDuration=strftime(duration, "%H:%M:%S") | table Date job_name JobDuration

Sample Results:

02-03-16    ELSHPCST    02:56:52
02-04-16    ELVALRTD    19:00:00
02-04-16    ELVALRTPE   19:00:00
02-04-16    ELVALOOS    19:00:00
02-04-16    ELVALRTD    19:00:00
02-04-16    ELVALRTPE   19:00:00

Re: When using the transaction command, how do I format the duration into H:M:S?

javiergn — Thu, 04 Feb 2016 21:40:22 GMT

Use this instead:

| eval JobDuration = tostring(duration, "duration")

Re: When using the transaction command, how do I format the duration into H:M:S?

clarksinthehill — Fri, 05 Feb 2016 15:55:25 GMT

Thanks for the reply, using the above my results now include duration as a string. Any ideas?

02-05-16 ELINVPUB duration
02-05-16 ELLKPPARN duration
02-05-16 ELVALRTD duration
02-05-16 ELVALRTD duration

Re: When using the transaction command, how do I format the duration into H:M:S?

javiergn — Fri, 05 Feb 2016 16:42:50 GMT

Errrm, that shouldn't be the case unless your duration field is not a valid duration.
Can you post your whole query here?
Based on your comments it should be something like:

sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" 
| transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" 
| eval Date = strftime(_time, "%m-%d-%y") 
| eval JobDuration = tostring(duration, "duration")
| table Date, job_name,  JobDuration

Re: When using the transaction command, how do I format the duration into H:M:S?

clarksinthehill — Fri, 05 Feb 2016 18:35:38 GMT

Sure - it is.

sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" 
 | transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" 
 | eval Date = strftime(_time, "%m-%d-%y") 
 | eval JobDuration = strftime(duration, "duration")
 | table Date, job_name,  JobDuration

Re: When using the transaction command, how do I format the duration into H:M:S?

javiergn — Mon, 08 Feb 2016 09:39:59 GMT

Ok, I can see the problem.
I made a mistake when I copied and pasted your code.

Instead of strftime you have to use the tostring function for JobDuration.

That is:

| eval JobDuration = tostring(duration, "duration")

Let me know if that helps. I have already fixed my two answers below.

Re: When using the transaction command, how do I format the duration into H:M:S?

clarksinthehill — Mon, 08 Feb 2016 15:23:07 GMT

Perfect! Thanks for the help.

Re: When using the transaction command, how do I format the duration into H:M:S?

javiergn — Mon, 08 Feb 2016 15:28:51 GMT

No worries. If this is resolved please remember to mark is as answered so that others can benefit from it in the future.