Re: Finding Duration and formatting output

scottmkirkland · ‎03-13-2025

I'm having trouble getting my duration into the format I'd prefer... I'd like to see the duration to be MM:SS. However, despite a few different approaches, I keep getting milliseconds.

scottmkirkland · ‎03-19-2025

Thank you @VatsalJagani

I took that and I'm trying to get the avg response time for each year. AvgAtScene is in seconds, so I'm trying to get that into the duration. Any suggestions there?

ITWhisperer · ‎03-19-2025

| eval AvgResponse=tostring(round(AvgAdScene,0),"duration")

ITWhisperer · ‎03-13-2025

Stop parsing the milliseconds from your time values, or convert the resultant time to an integer, or round the times to zero decimal places.

scottmkirkland · ‎03-14-2025

@ITWhisperer Are you suggesting I just drop the %N in my strptime?

If I do that, my results don't change.

isoutamo · ‎03-16-2025

You should use round to seconds before (or inside) tostring function. That just drop ms away.

VatsalJagani · ‎03-16-2025

@scottmkirkland- In your latest query you can just drop all millisecond zeros with the help of substr.

Example:

| eval secondsToAtScene = tonumber(substr(secondsToAtScene, 1, len(secondsToAtScene)-7))

This will just remove last 7 characters which will remove milliseconds part from it.

And you can apply this to any fields the same way.

Finding Duration and formatting output

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation