Splunk Search

## How can I convert duration to seconds? "1h 2m 3s" to 3723

Engager

I have a a field that is called rawtime that has a bunch of durations. My end goal is to graph per hour the average duration.

I'm stuck at being able to convert the duration as it's being logged into seconds.

Tags (2)
Engager

I was able to come up with a solution for this as well... my solution is probably less performant.... not sure.

``````... | rex field=timeraw, "(?<minutes>\d{1,2})m" | rex field=timeraw, "(?<seconds>\d{1,2})s" | fillnull | eval totalseconds=seconds+(minutes*60) | timechart span=1d avg(totalseconds) as AverageUploadTime
``````
Ultra Champion

I was thinking along those lines as well. The solution from @niketnilay is nice in the sense that it allows you to use the convert command, but the pre-processing looks quite complex to me. Having to perform multiple matches and then a double replace. Wouldn't be surprised if simply extracting minutes and seconds and calculating the seconds like you do turns out more efficient. At least it is a hell of a lot easier to read and that's worth a lot if you ask me 🙂

Legend

@arianf glad you were able to figure out your solution... ain't that the greatest feeling 🙂

@FrankVI, yeah first I thought it was easy, then I realized... ooops I have traversed the wrong path 😄

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Legend

@arianf, you can use `convert` command with `dur2sec()` function, however, it expects the Duration time string in the following format: (1) With days included included `d+HH:MM:SS` (2) Without Days: `HH:MM:SS`.

So you would need to create a separate eval to format your Time Duration to above format first (the eval can be saved as `Calculated Field` and/or `Macro` for maintenance and scalability. If time duration is absolute the following expects lower time units will be also present (if not the conditions will change and more conditions will be required) i.e. If exact `1 hour` duration is present it be be `1h 0m 1s` in log.

``````| makeresults
| eval timeraw="2d 1h 20m 30s,1h 31m 23s,30s,1m 24s"
| makemv timeraw delim=","
| mvexpand timeraw
| eval timeInSec=case(match(timeraw,"^\d+d\s\d+h\s\d+m\s\d+s\$"),replace(replace(replace(timeraw,"d\s","+"),"h|m|s","")," ",":"),
match(timeraw,"^\d+h\s\d+m\s\d+s\$"),replace(replace(timeraw,"h|m|s","")," ",":"),
match(timeraw,"^\d+m\s\d+s\$"),"00:".replace(replace(timeraw,"m|s","")," ",":"),
match(timeraw,"^\d+s\$"),"00:00:".replace(replace(timeraw,"m|s","")," ",":"))
| eval timeFormatted=timeInSec
| convert dur2sec(timeInSec)
``````

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Take the 2021 Splunk Career Survey

### Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey.Earn \$50 in Amazon cash! Full Details! >

Get Updates on the Splunk Community!