Splunk Search

How can I convert duration to seconds? "1h 2m 3s" to 3723


I have a a field that is called rawtime that has a bunch of durations. My end goal is to graph per hour the average duration.

I'm stuck at being able to convert the duration as it's being logged into seconds.

alt text


I was able to come up with a solution for this as well... my solution is probably less performant.... not sure.

... | rex field=timeraw, "(?<minutes>\d{1,2})m" | rex field=timeraw, "(?<seconds>\d{1,2})s" | fillnull | eval totalseconds=seconds+(minutes*60) | timechart span=1d avg(totalseconds) as AverageUploadTime

Ultra Champion

I was thinking along those lines as well. The solution from @niketnilay is nice in the sense that it allows you to use the convert command, but the pre-processing looks quite complex to me. Having to perform multiple matches and then a double replace. Wouldn't be surprised if simply extracting minutes and seconds and calculating the seconds like you do turns out more efficient. At least it is a hell of a lot easier to read and that's worth a lot if you ask me 🙂


@arianf glad you were able to figure out your solution... ain't that the greatest feeling 🙂

@FrankVI, yeah first I thought it was easy, then I realized... ooops I have traversed the wrong path 😄

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


@arianf, you can use convert command with dur2sec() function, however, it expects the Duration time string in the following format: (1) With days included included d+HH:MM:SS (2) Without Days: HH:MM:SS.

So you would need to create a separate eval to format your Time Duration to above format first (the eval can be saved as Calculated Field and/or Macro for maintenance and scalability. If time duration is absolute the following expects lower time units will be also present (if not the conditions will change and more conditions will be required) i.e. If exact 1 hour duration is present it be be 1h 0m 1s in log.

| makeresults 
| eval timeraw="2d 1h 20m 30s,1h 31m 23s,30s,1m 24s" 
| makemv timeraw delim="," 
| mvexpand timeraw 
| eval timeInSec=case(match(timeraw,"^\d+d\s\d+h\s\d+m\s\d+s$"),replace(replace(replace(timeraw,"d\s","+"),"h|m|s","")," ",":"),
                      match(timeraw,"^\d+h\s\d+m\s\d+s$"),replace(replace(timeraw,"h|m|s","")," ",":"),
                      match(timeraw,"^\d+m\s\d+s$"),"00:".replace(replace(timeraw,"m|s","")," ",":"),
                      match(timeraw,"^\d+s$"),"00:00:".replace(replace(timeraw,"m|s","")," ",":")) 
| eval timeFormatted=timeInSec 
| convert dur2sec(timeInSec)

Please try out and confirm!

| makeresults | eval message= "Happy Splunking!!!"
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!