<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Extract Milliseconds in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272403#M82002</link>
    <description>&lt;P&gt;Hi @Mus yes it was asked before but I couldn't get this to work as I alluded to in that post, and I wasn't sure about the protocol of raising new posts and linking to prior ones.&lt;/P&gt;

&lt;P&gt;Anyway the solution you posted above works great, thank you for taking the time to come back to me with this.&lt;/P&gt;

&lt;P&gt;Many thanks and kind regards&lt;/P&gt;

&lt;P&gt;Chris&lt;/P&gt;</description>
    <pubDate>Mon, 08 Feb 2016 09:52:16 GMT</pubDate>
    <dc:creator>IRHM73</dc:creator>
    <dc:date>2016-02-08T09:52:16Z</dc:date>
    <item>
      <title>Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272399#M81998</link>
      <description>&lt;P&gt;Hi, I wonder whether someone could help me please.&lt;/P&gt;

&lt;P&gt;I'm using the query below to extract information about searches that have been performed.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;|rest /services/search/jobs
|rename custom.search as customSearch
|search NOT author="splunk-system-user"
|eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)
|search SearchString!=""
|convert ctime(searchEarliestTime) as STime timeformat=%d/%m/%y
|convert ctime(searchLatestTime) as LTime timeformat=%d/%m/%y
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|table author SearchString duration stringSecs
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I'm having a little difficulty with this line: &lt;CODE&gt;eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Could someone tell me please how I could change this to display the milliseconds as "ms" in the same vain in which the hours, minutes and seconds are shown.&lt;/P&gt;

&lt;P&gt;I've tried the obvious &lt;CODE&gt;eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)\.(\d+)","\1h \2min \3s \4ms")&lt;/CODE&gt; but this doesn't work.&lt;/P&gt;

&lt;P&gt;I just wondered whether someone could point out where I've gone wrong please.&lt;/P&gt;

&lt;P&gt;Many thanks and kind regards&lt;/P&gt;

&lt;P&gt;Chris&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 07:54:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272399#M81998</guid>
      <dc:creator>IRHM73</dc:creator>
      <dc:date>2016-02-08T07:54:46Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272400#M81999</link>
      <description>&lt;P&gt;Hi IRHM73,&lt;/P&gt;

&lt;P&gt;Although this was asked before &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt; I'll try to answer it again - use this search:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;|rest /services/search/jobs
 |rename custom.search as customSearch
 |search NOT author="splunk-system-user"
 |eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)
 |search SearchString!=""
 |convert ctime(searchEarliestTime) as STime timeformat=%d/%m/%y
 |convert ctime(searchLatestTime) as LTime timeformat=%d/%m/%y
 |addtotals fieldname=duration *duration_secs
 |convert rmunit(duration) as numSecs
 |eval stringSecs=tostring(duration,"duration")
 |eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
 | rex field=stringSecs "\.(?&amp;lt;ms&amp;gt;\d{3})" | rex field=stringSecs "(?&amp;lt;myRest&amp;gt;.+)s\." | eval stringSecs=myRest. "s " .ms. "ms"
 |table author SearchString duration stringSecs
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;It has an additional line with &lt;CODE&gt;rex&lt;/CODE&gt; and &lt;CODE&gt;eval&lt;/CODE&gt; to get milliseconds in the result. &lt;/P&gt;

&lt;P&gt;Hope this helps and works for you ...&lt;/P&gt;

&lt;P&gt;cheers, MuS&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 09:17:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272400#M81999</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2016-02-08T09:17:44Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272401#M82000</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)\.(\d+)","\1h \2min \3s \4ms")
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;works fine for me. Are you sure you used exactly that line? I don't see a reason it shouldn't do the trick.&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 09:20:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272401#M82000</guid>
      <dc:creator>jeffland</dc:creator>
      <dc:date>2016-02-08T09:20:39Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272402#M82001</link>
      <description>&lt;P&gt;Hi @jeffland, thank you for this. I can now get this to work. I can only assume that this was a typo in my original query.&lt;/P&gt;

&lt;P&gt;Many thanks and kind regards&lt;/P&gt;

&lt;P&gt;Chris&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 09:48:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272402#M82001</guid>
      <dc:creator>IRHM73</dc:creator>
      <dc:date>2016-02-08T09:48:43Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272403#M82002</link>
      <description>&lt;P&gt;Hi @Mus yes it was asked before but I couldn't get this to work as I alluded to in that post, and I wasn't sure about the protocol of raising new posts and linking to prior ones.&lt;/P&gt;

&lt;P&gt;Anyway the solution you posted above works great, thank you for taking the time to come back to me with this.&lt;/P&gt;

&lt;P&gt;Many thanks and kind regards&lt;/P&gt;

&lt;P&gt;Chris&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 09:52:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272403#M82002</guid>
      <dc:creator>IRHM73</dc:creator>
      <dc:date>2016-02-08T09:52:16Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272404#M82003</link>
      <description>&lt;P&gt;Hi Jeffland,&lt;/P&gt;

&lt;P&gt;Yes, this works - but it will give you a 6 digit value for &lt;CODE&gt;milliseconds&lt;/CODE&gt; and I reckon @IRHM73 was after a 2-3 digit millisecond value.&lt;/P&gt;

&lt;P&gt;cheers, MuS&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 09:58:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272404#M82003</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2016-02-08T09:58:34Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272405#M82004</link>
      <description>&lt;P&gt;If so, I didn't recognize that - I assumed that since he wants to display "00h" if the duration was less than an hour, he also wants all digits including zeros in the milliseconds.&lt;BR /&gt;
@IRHM73, if you want to exclude trailing zeros, the following should do that:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)\.(\d+?)0*$","\1h \2min \3s \4ms")
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Of course the same logic can be applied to the rex-variant proposed by MuS &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 10:24:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272405#M82004</guid>
      <dc:creator>jeffland</dc:creator>
      <dc:date>2016-02-08T10:24:06Z</dc:date>
    </item>
    <item>
      <title>Re: Extract Milliseconds</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272406#M82005</link>
      <description>&lt;P&gt;Hi @jeffland, no that's absolutely fine. Thank you for coming back to me with this I really appreciate it.&lt;/P&gt;

&lt;P&gt;Many thanks and kind regards&lt;/P&gt;

&lt;P&gt;Chris&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2016 10:30:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Extract-Milliseconds/m-p/272406#M82005</guid>
      <dc:creator>IRHM73</dc:creator>
      <dc:date>2016-02-08T10:30:33Z</dc:date>
    </item>
  </channel>
</rss>

