Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't convert timeformat to unix

dtaylor
Path Finder
3 weeks ago

Hopefully I've only got a small problem this time, but I've had no luck fixing it despite hours of trying. All I'm trying to do is convert a string time field to unix using strptime. This is my time field:

Ended: 0d1h55m0s

 

I've been trying to convert it to unix using the following command:

| eval time_sec = strptime('Time', "Ended: %dd%Hh%Mm%Ss")

 

For clarity, this is the full search:

| inputlookup metrics.csv
| eval occurred=strftime(strptime(occurred,"%a, %d %b %Y %T %Z"), "%F %T %Z")
| eval closed=strftime(strptime(closed,"%a, %d %b %Y %T %Z"), "%F %T %Z")
| eval time_sec = strptime('Time', "Ended: %dd%Hh%Mm")
| where strptime(occurred, "%F %T") >= strptime("2025-05-01 00:00:00", "%F %T") AND (isnull(closeReason) OR closeReason="Resolved")
| fillnull value=Resolved closeReason

 

The example time I've posted above 0d1h55m0s should ideally convert to 6900(seconds).

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Prewin27
Communicator
3 weeks ago

@dtaylor 

strptime expects a date/time string, not a duration.
Your field (Ended: 0d1h55m0s) is a duration (days, hours, minutes, seconds), not an absolute date/time.

try below,

| rex field=Time "Ended: (?<days>\d+)d(?<hours>\d+)h(?<minutes>\d+)m(?<seconds>\d+)s"
| eval duration = (days*86400) + (hours*3600) + (minutes*60) + seconds

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

In addition to @Prewin27's breakdown method, I can suggest relative_time to take advantage of Splunk's format strings.

| eval offset = replace('Time', "Ended: (\d+d)(\d+h)(\d+m)(\d+s)", "+\1+\2+\3")
| eval time_sec = relative_time(0, offset)

relative_time's offset requires a + or a - before every time unit.  So, we transform 0d1h55m0s to +0d+1h+55m.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

Prewin27
Communicator
3 weeks ago

@dtaylor 

strptime expects a date/time string, not a duration.
Your field (Ended: 0d1h55m0s) is a duration (days, hours, minutes, seconds), not an absolute date/time.

try below,

| rex field=Time "Ended: (?<days>\d+)d(?<hours>\d+)h(?<minutes>\d+)m(?<seconds>\d+)s"
| eval duration = (days*86400) + (hours*3600) + (minutes*60) + seconds

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...