Splunk Search

Conver string to time duration.

marquiselee
Path Finder

Hi I have logs where the media length/duration is displayed in a non standard format. anyone think this can be converted into seconds? *In some cases duration is reported as 0 too.

#   MEDIA ID   Duration

1       69911   1h 50mn
2       74454   1h 9mn
3       69910   1mn 58s
4       69909   59s 221ms
5       74453   17mn 4s
6       74452   2h 13mn
7       74451   0
8       74450   56s 134ms
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.

marquiselee
Path Finder

THANK YOU!!! this worked perfectly.

0 Karma

marquiselee
Path Finder

each mediaid is from a distinct xml log file that is indexed. I should note that duration is not from a transaction but rather from the xml file.

...| xmlkv | table "MEDIA ID" "Duration"

0 Karma

kristian_kolb
Ultra Champion

is this within a single event? And there are no timestamps, field extractions etc etc

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...