topic duration to seconds in Splunk Search

duration to seconds

tmarlette — Tue, 29 Sep 2020 15:36:13 GMT

I'm attempting to turn the duration of a process in the PS data into just seconds so I can sort appropriately and find the longest running processes for a single host. All of the data is being generated using the Splunk_TA_nix add-on.

IN this case, the problem seems to be when processes run for longer than 24 hours. The format comes out like this: 1-05:51:38
which I assume splunk is looking for a '+' instead of a '-' for the day count.

here's my current query:

index=nix sourcetype=ps 
| convert dur2sec(ELAPSED) as runTime
| stats avg(pctCPU) as CPU avg(pctMEM) as MEM by host pid runTime
| sort - runTime
| eval runTime=tostring(runTime, "duration")

This gives me an output that looks like this:

If I am to remove all of the conversion syntax, I get entries like this:

buuuuuttt, I can't sort on it because splunk doesn't recognize this as a field to sort ascending/descending.

Is there a way to do sort this field, or change it to seconds properly somehow?

Re: duration to seconds

DalJeanis — Fri, 01 Sep 2017 23:00:51 GMT

You Could do something like this...

|makeresults 
| eval ELAPSED="1-05:00:04 01:23:45 53:21 :17"
| makemv ELAPSED
| mvexpand ELAPSED
| rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)"
| eval runtime=86400*Coalesce(ElapsedDays,0) + 3600*Coalesce(ElapsedHours,0) + 60*Coalesce(ElapsedMinutes,0) + 1*Coalesce(ElapsedSeconds,0)

Re: duration to seconds

woodcock — Sun, 03 Sep 2017 22:01:08 GMT

Exactly how I would have done it, but inside of a macro.

Re: duration to seconds

DalJeanis — Sun, 03 Sep 2017 23:56:11 GMT

@woodcock - what, and make it repeatable and modular? Where's the fun in that? I'd much rather code it
from scratch every single time... zzzzz... huh, what was I saying?

Would you do it with two parameters, the input field and output field, while allowing them to be the same if desired?

Of course you would. And the intermediate rex-extract fields would probably be some set of characters that were meaningful but highly unlikely to exist in natural code. I've seen you use l33t for that purpose before, or just for fun.

Re: duration to seconds

tmarlette — Tue, 05 Sep 2017 22:07:14 GMT

I tried this, and it does work. The only catch is that my search is exceptionally slow due to the |mv commands I suspect. more tinkering....

Re: duration to seconds

DalJeanis — Tue, 05 Sep 2017 22:50:07 GMT

@tmarlette - sorry I didn't mark it for you - you only need lines 5 and 6. 1 thru 4 were to create test data.

Re: duration to seconds

tmarlette — Wed, 06 Sep 2017 15:05:03 GMT

yeah, I caught that. It woks fine, it's just pretty slow on my search head is all. Thanks for the help!

Re: duration to seconds

DalJeanis — Wed, 06 Sep 2017 18:00:51 GMT

@tmarlette - Hmmm. I don't see anything in that that should take very long.

Okay, there's a possibility that because of the question marks the rex is doing a little extra work backing up. Let's anchor the right side of the field and see if that cuts the time.

 | rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)$"