Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting Duration Field value to seconds

adityapavan18
Contributor
‎03-27-2014 04:24 AM

I have a extracted field call CallDuration and in logs it in format

%H:%M:%S.%2N like 00:00:38.60

That means the call duartion was 38.60 secs.

Now how can i convert that duartion to total number of seconds.??

If field value is 01:05:45.20
The new field should hold total duration in seconds ie. 3945.20sec

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2014 05:07 AM

Here's something to get you started:

eval duration=strptime(CallDuration,"%H:%M:%S.%2N") | eval base=strptime("00:00:00.00","%H:%M:%S.%2N") | eval secs=duration-base | table duration, secs
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gpullis
Communicator
‎06-10-2015 01:47 PM

There's now a convert function for this:

... | convert dur2sec(CallDuration) AS duration
Reply
Solved! Jump to solution

bugmenot
New Member
‎07-19-2018 03:36 PM

This answer is not valid, dur2sec does not support milliseconds. Proof: index=* | head 1 | eval CallDuration="00:00:38.60" | convert dur2sec(CallDuration) AS duration -> results in no duration field.

0 Karma
Reply
Solved! Jump to solution

MattZerfas
Communicator
‎09-04-2015 01:32 PM

The accepted answer should now be changed to this response since it is now a thing. SOOOO much cleaner and easier.

0 Karma
Reply
Solved! Jump to solution

MedralaG
Communicator
‎07-28-2017 07:29 AM

totally agree

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎03-27-2014 05:18 AM

Hi adityapavan18,

the following searchFu are example and you need to match them to your events, but you could do something like this:

... | rex field="_raw" "CallDuration: (?<hours>\d+)h:(?<minutes>\d+)m:(?<seconds>\d+)s" | eval CallDurationInSeconds = ((hours*60*60)+(minutes*60)+(seconds))

or something like this if you have duration over or under one day:

... | rex field="_raw" "CallDuration: (?<dur_day>[0-9]+)?d? *(?<dur_hour>[0-9]+)h?:(?<dur_min>[0-9]+)m?" | eval connduration=(if(dur_day=="",0,dur_day)*1440*60)+(dur_hour * 60*60)+(dur_min*60)

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2014 05:07 AM

Here's something to get you started:

eval duration=strptime(CallDuration,"%H:%M:%S.%2N") | eval base=strptime("00:00:00.00","%H:%M:%S.%2N") | eval secs=duration-base | table duration, secs
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-27-2014 06:49 AM

If you have many places where this conversion will take place, I would suggest to create a macro for it.

Reply
Solved! Jump to solution

MuS
Legend
‎03-27-2014 05:20 AM

that's a nice one as well and I was typing for to long 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...