That value is not compatible with converting to epoch time because Splunk doesn't know when the time starts. The
strptime function expects you are sending it some form of wall clock time, not a duration.
So, what is the start time, and what output would you really like to see: a clock time, or the number of seconds that duration represents (e.g., 34,952 seconds)?
You are nearly right - I think your only problem is that you are quoting your field inside the
strptime - when you quote it Splunk treats is as a string with a value of "Duration" and tries to extract Hours, Minutes and Seconds from the word "Duration", not the field.
eval "Duration"=strptime(Duration, "%Hh:%Mm:%Ss")
If your "Duration" field ever has spaces, you can use single quotes to quote it and it'll work. See all three (No quotes, single quotes and regular quotes) in the below "run anywhere" example.
| makeresults | eval dur1="9h:42m:32s" | eval "edur1"=strptime("dur1", "%Hh:%Mm:%Ss") | eval "edur2"=strptime('dur1', "%Hh:%Mm:%Ss") | eval "edur3"=strptime(dur1, "%Hh:%Mm:%Ss")
Notice it doesn't return "edur1".
_time dur1 edur2 edur3 2017-02-25 07:01:47 9h:42m:32s 1488037352.000000 1488037352.000000
Do you want to convert your duration to epoch time or convert it to number of seconds? If it's later, try like this
your current search | eval Duration=replace(Duration,"[hms]","") | convert dur2sec(Duration) as Duration
your current search | eval Duration=strptime(Duration,"%Hh:%Mm:%Ss")-relative_time(now(),"@d")