Solved: How to Convert time format?

Edwin1471 · ‎07-12-2022

Hi,

i need to write a query that converts time format from

minutes to format Xh Xmin Xs

my query

| eval finish_time_epoch = strftime(strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval start_time_epoch = strftime(strptime(START_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval duration_s = strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S") - strptime(START_TIME, "%Y-%m-%d %H:%M:%S")
| eval duration_min = round(duration_s / 60, 2)
| chart sum(duration_min) as "time" by Yd_count_data

gcusello · ‎07-12-2022

Hi @Edwin1471,

if "time" is the duration expressed in minutes, you have to add at the end of your search an eval statement like the following:

|  eval
   time_hours=round(time/60,0),
   time_min=round(time-time_hours*60,0),
   time_sec=round((time-time_hours*60-time_min)*60,0)
| eval time=time_hours." h ".time_min." m ".time_sec

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-12-2022

Hi @Edwin1471,

if "time" is the duration expressed in minutes, you have to add at the end of your search an eval statement like the following:

|  eval
   time_hours=round(time/60,0),
   time_min=round(time-time_hours*60,0),
   time_sec=round((time-time_hours*60-time_min)*60,0)
| eval time=time_hours." h ".time_min." m ".time_sec

Ciao.

Giuseppe

How to Convert time format?

chart

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation