Splunk Search

How do I convert Duration field in sec to day Hr Min Sec?

Abhineet
Loves-to-Learn Everything

Base query:

index=jenkins* teamcenter
|search event_tag=job_event
|search build_url=*TC_Active*
|where isnotnull(job_duration)
|rex field=job_name "(?<app>[^\.]*)\/(?<repo>[^\.]*)\/(?<jobname>[^\.].*)"
|rex field=metadata.GIT_BRANCH_NAME "(?<branch>.*)"
|rex field=user "(?<user>[^\.]*)"
|search app="*" AND repo="*" AND jobname="*" AND branch="*" AND user="*"
| eval string_dur = tostring(round(job_duration), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|rename job_started_at AS DateTime app AS Repository branch AS Branch jobname AS JobName job_result AS Job_Result formatted_dur AS Job_Duration "stages{}.name" AS "Stage View" "stages{}.duration" AS Duration
|table DateTime Repository Branch JobName Job_Result Job_Duration "Stage View" Duration

Output: 

DateTime Repository Branch JobName Job_Result Job_Duration Stage View Duration

2022-07-07T11:47:39Z TeamCenter/TC_Active/TCUA_Builds release/ALM_TC15.5 AMAT_Key_Part_Family_Extraction SUCCESS d 0h 15m 35s
Preparation
Sonar Analysis
Build
Save Artifacts
108.817
419.698
15.819
376.698
2022-07-07T17:14:49Z TeamCenter/TC_Active/Portal release/ALM_TC15.5 com.amat.rac SUCCESS d 0h 25m 49s
Preparation
Sonar Analysis
Build
Save Artifacts
105.014
1309.388
29.486
101.647

 

Need to add another column in output "stage_duration" which will convert "Duration" field value in  "Day Hr Min Sec" format. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Abhineet,

let me understand: you have a field, called "stage_duration" that contains a duration expressed in seconds and you want to rename it in "Duration" and display in format days, hours, minutes, seconds, is it correct?

Sorry but I don't understand why at the end of your servs you don't add:

| eval Duration=tostring(stage_duration,"duration")

Ciao.

Giuseppe

0 Karma

Abhineet
Loves-to-Learn Everything

Hi @gcusello 

We have field "Duration" in output sent previously as image.

Want to convert all  "Duration " field value into "day Hr Min Sec" format as field "Stage_Duration".

For single event we have multiple "Duration" field Value as per "Stage View" field mentioned in below mentioned sample output image.

Abhineet_0-1657288863765.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Abhineet,

viewing your screenshot, I see that Duration is a multivalue field so the tostring option doesn't run.

Ciao.

Giuseppe 

0 Karma

Abhineet
Loves-to-Learn Everything

Hi @gcusello 

That's correct, how we can format the value of "Duration" field in "HH:MM:SS" format?

0 Karma

Abhineet
Loves-to-Learn Everything

Formatted Output for query inserted as image.

Abhineet_0-1657282060041.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Abhineet,

why don't you use for these fields the "tostring" option that you already used?

Ciao.

Giuseppe

0 Karma

Abhineet
Loves-to-Learn Everything

HI @gcusello 

That is not working as in single event have multiple stages and those stages duration need to format.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...