Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert Duration field in sec to day Hr Min Sec?

Abhineet
Loves-to-Learn Everything
‎07-08-2022 04:43 AM

Base query:

index=jenkins* teamcenter
|search event_tag=job_event
|search build_url=*TC_Active*
|where isnotnull(job_duration)
|rex field=job_name "(?<app>[^\.]*)\/(?<repo>[^\.]*)\/(?<jobname>[^\.].*)"
|rex field=metadata.GIT_BRANCH_NAME "(?<branch>.*)"
|rex field=user "(?<user>[^\.]*)"
|search app="*" AND repo="*" AND jobname="*" AND branch="*" AND user="*"
| eval string_dur = tostring(round(job_duration), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|rename job_started_at AS DateTime app AS Repository branch AS Branch jobname AS JobName job_result AS Job_Result formatted_dur AS Job_Duration "stages{}.name" AS "Stage View" "stages{}.duration" AS Duration
|table DateTime Repository Branch JobName Job_Result Job_Duration "Stage View" Duration

Output: 

DateTime Repository Branch JobName Job_Result Job_Duration Stage View Duration

2022-07-07T11:47:39Z TeamCenter/TC_Active/TCUA_Builds release/ALM_TC15.5 AMAT_Key_Part_Family_Extraction SUCCESS d 0h 15m 35s
Preparation
Sonar Analysis
Build
Save Artifacts
108.817
419.698
15.819
376.698
2022-07-07T17:14:49Z TeamCenter/TC_Active/Portal release/ALM_TC15.5 com.amat.rac SUCCESS d 0h 25m 49s
Preparation
Sonar Analysis
Build
Save Artifacts
105.014
1309.388
29.486
101.647

 

Need to add another column in output "stage_duration" which will convert "Duration" field value in  "Day Hr Min Sec" format. 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2022 06:36 AM

Hi @Abhineet,

let me understand: you have a field, called "stage_duration" that contains a duration expressed in seconds and you want to rename it in "Duration" and display in format days, hours, minutes, seconds, is it correct?

Sorry but I don't understand why at the end of your servs you don't add:

| eval Duration=tostring(stage_duration,"duration")

Ciao.

Giuseppe

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 07:02 AM

Hi @gcusello 

We have field "Duration" in output sent previously as image.

Want to convert all  "Duration " field value into "day Hr Min Sec" format as field "Stage_Duration".

For single event we have multiple "Duration" field Value as per "Stage View" field mentioned in below mentioned sample output image.

Abhineet_0-1657288863765.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2022 07:16 AM

Hi @Abhineet,

viewing your screenshot, I see that Duration is a multivalue field so the tostring option doesn't run.

Ciao.

Giuseppe 

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 08:17 AM

Hi @gcusello 

That's correct, how we can format the value of "Duration" field in "HH:MM:SS" format?

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 05:07 AM

Formatted Output for query inserted as image.

Abhineet_0-1657282060041.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2022 05:07 AM

Hi @Abhineet,

why don't you use for these fields the "tostring" option that you already used?

Ciao.

Giuseppe

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 05:10 AM

HI @gcusello 

That is not working as in single event have multiple stages and those stages duration need to format.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...