I have a a field that is called rawtime that has a bunch of durations. My end goal is to graph per hour the average duration.
I'm stuck at being able to convert the duration as it's being logged into seconds.
I was able to come up with a solution for this as well... my solution is probably less performant.... not sure.
... | rex field=timeraw, "(?<minutes>\d{1,2})m" | rex field=timeraw, "(?<seconds>\d{1,2})s" | fillnull | eval totalseconds=seconds+(minutes*60) | timechart span=1d avg(totalseconds) as AverageUploadTime
I was thinking along those lines as well. The solution from @niketnilay is nice in the sense that it allows you to use the convert command, but the pre-processing looks quite complex to me. Having to perform multiple matches and then a double replace. Wouldn't be surprised if simply extracting minutes and seconds and calculating the seconds like you do turns out more efficient. At least it is a hell of a lot easier to read and that's worth a lot if you ask me 🙂
@arianf glad you were able to figure out your solution... ain't that the greatest feeling 🙂
@FrankVI, yeah first I thought it was easy, then I realized... ooops I have traversed the wrong path 😄
@arianf, you can use convert
command with dur2sec()
function, however, it expects the Duration time string in the following format: (1) With days included included d+HH:MM:SS
(2) Without Days: HH:MM:SS
.
So you would need to create a separate eval to format your Time Duration to above format first (the eval can be saved as Calculated Field
and/or Macro
for maintenance and scalability. If time duration is absolute the following expects lower time units will be also present (if not the conditions will change and more conditions will be required) i.e. If exact 1 hour
duration is present it be be 1h 0m 1s
in log.
| makeresults
| eval timeraw="2d 1h 20m 30s,1h 31m 23s,30s,1m 24s"
| makemv timeraw delim=","
| mvexpand timeraw
| eval timeInSec=case(match(timeraw,"^\d+d\s\d+h\s\d+m\s\d+s$"),replace(replace(replace(timeraw,"d\s","+"),"h|m|s","")," ",":"),
match(timeraw,"^\d+h\s\d+m\s\d+s$"),replace(replace(timeraw,"h|m|s","")," ",":"),
match(timeraw,"^\d+m\s\d+s$"),"00:".replace(replace(timeraw,"m|s","")," ",":"),
match(timeraw,"^\d+s$"),"00:00:".replace(replace(timeraw,"m|s","")," ",":"))
| eval timeFormatted=timeInSec
| convert dur2sec(timeInSec)
Please try out and confirm!