Splunk Search

How can I convert duration to seconds? "1h 2m 3s" to 3723

arianf
Engager

I have a a field that is called rawtime that has a bunch of durations. My end goal is to graph per hour the average duration.

I'm stuck at being able to convert the duration as it's being logged into seconds.

alt text

arianf
Engager

I was able to come up with a solution for this as well... my solution is probably less performant.... not sure.

... | rex field=timeraw, "(?<minutes>\d{1,2})m" | rex field=timeraw, "(?<seconds>\d{1,2})s" | fillnull | eval totalseconds=seconds+(minutes*60) | timechart span=1d avg(totalseconds) as AverageUploadTime

FrankVl
Ultra Champion

I was thinking along those lines as well. The solution from @niketnilay is nice in the sense that it allows you to use the convert command, but the pre-processing looks quite complex to me. Having to perform multiple matches and then a double replace. Wouldn't be surprised if simply extracting minutes and seconds and calculating the seconds like you do turns out more efficient. At least it is a hell of a lot easier to read and that's worth a lot if you ask me 🙂

niketn
Legend

@arianf glad you were able to figure out your solution... ain't that the greatest feeling 🙂

@FrankVI, yeah first I thought it was easy, then I realized... ooops I have traversed the wrong path 😄

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@arianf, you can use convert command with dur2sec() function, however, it expects the Duration time string in the following format: (1) With days included included d+HH:MM:SS (2) Without Days: HH:MM:SS.

So you would need to create a separate eval to format your Time Duration to above format first (the eval can be saved as Calculated Field and/or Macro for maintenance and scalability. If time duration is absolute the following expects lower time units will be also present (if not the conditions will change and more conditions will be required) i.e. If exact 1 hour duration is present it be be 1h 0m 1s in log.

| makeresults 
| eval timeraw="2d 1h 20m 30s,1h 31m 23s,30s,1m 24s" 
| makemv timeraw delim="," 
| mvexpand timeraw 
| eval timeInSec=case(match(timeraw,"^\d+d\s\d+h\s\d+m\s\d+s$"),replace(replace(replace(timeraw,"d\s","+"),"h|m|s","")," ",":"),
                      match(timeraw,"^\d+h\s\d+m\s\d+s$"),replace(replace(timeraw,"h|m|s","")," ",":"),
                      match(timeraw,"^\d+m\s\d+s$"),"00:".replace(replace(timeraw,"m|s","")," ",":"),
                      match(timeraw,"^\d+s$"),"00:00:".replace(replace(timeraw,"m|s","")," ",":")) 
| eval timeFormatted=timeInSec 
| convert dur2sec(timeInSec)

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...