Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Conver string to time duration.

marquiselee
Path Finder
‎10-10-2013 01:18 PM

Hi I have logs where the media length/duration is displayed in a non standard format. anyone think this can be converted into seconds? *In some cases duration is reported as 0 too.

#   MEDIA ID   Duration

1       69911   1h 50mn
2       74454   1h 9mn
3       69910   1mn 58s
4       69909   59s 221ms
5       74453   17mn 4s
6       74452   2h 13mn
7       74451   0
8       74450   56s 134ms
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2013 09:06 AM

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2013 09:06 AM

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎10-11-2013 11:22 AM

THANK YOU!!! this worked perfectly.

0 Karma
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎10-11-2013 07:01 AM

each mediaid is from a distinct xml log file that is indexed. I should note that duration is not from a transaction but rather from the xml file.

...| xmlkv | table "MEDIA ID" "Duration"

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-10-2013 02:13 PM

is this within a single event? And there are no timestamps, field extractions etc etc

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...