Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Archive

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Xe03kfp

Path Finder

02-12-2013
10:11 AM

I have an issue with calculating seconds that go over 60 minutes that sums to be a few days.

One of my eval calculations sums to be 496089.166322 seconds and if I use

|fieldformat "Total Time"=strftime('Total Time', "%M:%S") I get 48:09 as the sum but should calculate to 5 days, 17 hours, 48 minutes and 9 seconds

I am not sure if I have to use a macro to do the job? LINK

Or missing something obvious?

I have searched through every variation of this and have tried all the common date and time format variables with strftime( converts epoch time to format Y )

Here is my current search string where I have to break down the Days Hours Minutes and Seconds along with a ScreenCapture

Search String:

index="snort"

( 2222222 dest*port="*") OR (1111111 src*port="*") OR ( 1111111 src_ip="*") OR (2222222 dest*ip="*")
| eval disconnect*time=if(match(

| eval connect

| eval Ephemeral=if(isnotnull(disconnect

| eval Ephemeral=if(isnotnull(connect

| stats min(connect

| eval Seconds=Disconnect-Connect

| fieldformat "Seconds"=strftime('Seconds', "%s")

| eval Minutes=Seconds/60 | eval Hours=Minutes/60

| eval Days=Hours/24

| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)

| search Connect=* Disconnect=*

| rename Ephemeral as "Connection Port", Total_time as "lala"

1 Solution

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

jaraneda

Engager

02-12-2013
10:28 AM

Hello,

I think that you have to use "tostring" on the eval command

```
| eval "Total Time"=tostring(Seconds,"duration")
```

The result of that command is 5+17:48:09.166322

where "5+" is the number of days.

I hope this help you 🙂

Highlighted
##

Yes that worked! To make it pretty..is there a way to take away the miliseconds? Also, how would I sum the "Total Seonds" as a "Total Time" like: | transpose | "Total Time" string --so the total time shows left justified?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Calculate Seconds that are over 60 minutes, to Days, Hours, Minutes, Seconds

Xe03kfp

Path Finder

02-12-2013
10:39 AM

Highlighted
##

I found addcoltotals gives me a total in seconds for the field I specify, then I will have to convert the seconds.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Calculate Seconds that are over 60 minutes, to Days, Hours, Minutes, Seconds

Xe03kfp

Path Finder

02-12-2013
11:09 AM

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Calculate Seconds that are over 60 minutes, to Days, Hours, Minutes, Seconds

Oisin77

Explorer

11-27-2013
01:34 AM

Can you get the amount of days on its own?