Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Conver string to time duration.

marquiselee
Path Finder
‎10-10-2013 01:18 PM

Hi I have logs where the media length/duration is displayed in a non standard format. anyone think this can be converted into seconds? *In some cases duration is reported as 0 too.

#   MEDIA ID   Duration

1       69911   1h 50mn
2       74454   1h 9mn
3       69910   1mn 58s
4       69909   59s 221ms
5       74453   17mn 4s
6       74452   2h 13mn
7       74451   0
8       74450   56s 134ms
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2013 09:06 AM

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2013 09:06 AM

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎10-11-2013 11:22 AM

THANK YOU!!! this worked perfectly.

0 Karma
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎10-11-2013 07:01 AM

each mediaid is from a distinct xml log file that is indexed. I should note that duration is not from a transaction but rather from the xml file.

...| xmlkv | table "MEDIA ID" "Duration"

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-10-2013 02:13 PM

is this within a single event? And there are no timestamps, field extractions etc etc

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...