All Apps and Add-ons

Regex in Dashboard is taking too much time

Path Finder

Hi Everyone

I have multiple rex queries in my dashboard which are taking much time.

Is there any way, to take out the rex from my dashboard.

Query what I am using is

|rex field=a "(?<a_hour>[^:]+)?:(?<a_min>\d+)?:(?<a_sec>\d+)"
| eval a_seconds =(a_hour*3600)+(a_min * 60) + a_sec

Like this I have multiple queries for multiple fields.

Please help me out.

Thanks
Nikks

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try (adding HH portion if not present, then using convert)

....| eval a=if(len(a)!=8,"00".a,a)
| convert dur2sec(a) as a_seconds

View solution in original post

SplunkTrust
SplunkTrust

Give this a try (adding HH portion if not present, then using convert)

....| eval a=if(len(a)!=8,"00".a,a)
| convert dur2sec(a) as a_seconds

View solution in original post

Path Finder

Thanks somesoni.

It worked.

Can we create a calculated field for the

| eval a=if(len(a)!=8,"00".a,a)
 | convert dur2sec(a) as a_seconds

Thanks
Nikks

0 Karma

SplunkTrust
SplunkTrust

Can we have some sample data please, for field a?

Super Champion

i agree, can we have a few samples of this? if you timestamp is in :MM:HH, the regex above doesn't seem likely to work properly.

0 Karma

Path Finder

Hi

it use to get data like
:00:00
12:34:78
:34:56

0 Karma

Super Champion

your field a is HH:MM:SS?
you could just do a |convert dur2sec(a) as a_seconds

https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Convert

0 Karma

Path Finder

Hi

it is in :MM:HH format.

I tried |convert dur2sec(a) as a_seconds but it didn't work with above format.

Is there any other way?

Thanks
Nikks

0 Karma

Super Champion

can you try to add timeformat=":%M:%H"

0 Karma

Path Finder

Can you tell me the way how to add this?

0 Karma