Hi, is there a way to drop the days and tidy it up so that instead of;

0 days 1 hours 43 minutes 47 secs.1428571428578

it produces;

1 hour, 43 minutes, 47 seconds.

Thanks!!

Do you just want to strip off "0 days", or do you want to multiply the number of days by 24 and add it to the hours?

Stripping of the "0 days" should be easy enough, just change the last line of that query to not print the days (remove the \1 days😞

 | eval duration2=replace(result,"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes \4 secs")

Probably need to multiply the number of days I guess. I need the total number of hours to jump to say, 28 hours, instead of 1 day, 4 hours.... if that makes sense

Hi

try this

| makeresults 
| eval minutes=1698 
| eval result = tostring(minutes*60, "duration") 
| rex field=result "((?P<day>\d+)\+){0,1}(?P<hour>\d{2}):(?P<min>\d{2}):(?P<sec>\d{2})" 
| eval hour=if(day>0,((day*24))+hour,hour) 
| eval result = hour." hours ".min." minutes ".sec." seconds" 
| table result

I made one adjustment in case you need the days to show up
If days are less than 1, there will be no value, so fillnull to 0


| makeresults
| eval minutes=1698
| eval result = tostring(minutes*60, "duration")
| rex field=result "((?P<day>\d+)\+){0,1}(?P<hour>\d{2}):(?P<min>\d{2}):(?P<sec>\d{2})"
| fillnull value=0 day
| eval result = day." days ".hour." hours ".min." minutes ".sec." seconds"
| table result


Adjusting the minutes value:

| makeresults
| eval minutes=111698
| eval result = tostring(minutes*60, "duration")
| rex field=result "((?P<day>\d+)\+){0,1}(?P<hour>\d{2}):(?P<min>\d{2}):(?P<sec>\d{2})"
| fillnull value=0 day
| eval result = day." days ".hour." hours ".min." minutes ".sec." seconds"
| table result

That's what I was going to suggest as well 🙂

Your both beautiful people 🙂

Thanks for the help.

beautiful. Thanks 🙂

Perfect. Thanks.

Sorry, me again. How would I tweak that if I wanted to drop the days from the output? so no mention of days, and just a total by hours, minutes, seconds? Thanks.