Solved: How to Convert time format?

Edwin1471 · ‎07-12-2022

Hi,

i need to write a query that converts time format from

minutes to format Xh Xmin Xs

my query

| eval finish_time_epoch = strftime(strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval start_time_epoch = strftime(strptime(START_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval duration_s = strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S") - strptime(START_TIME, "%Y-%m-%d %H:%M:%S")
| eval duration_min = round(duration_s / 60, 2)
| chart sum(duration_min) as "time" by Yd_count_data

gcusello · ‎07-12-2022

Hi @Edwin1471,

if "time" is the duration expressed in minutes, you have to add at the end of your search an eval statement like the following:

|  eval
   time_hours=round(time/60,0),
   time_min=round(time-time_hours*60,0),
   time_sec=round((time-time_hours*60-time_min)*60,0)
| eval time=time_hours." h ".time_min." m ".time_sec

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-12-2022

Hi @Edwin1471,

if "time" is the duration expressed in minutes, you have to add at the end of your search an eval statement like the following:

|  eval
   time_hours=round(time/60,0),
   time_min=round(time-time_hours*60,0),
   time_sec=round((time-time_hours*60-time_min)*60,0)
| eval time=time_hours." h ".time_min." m ".time_sec

Ciao.

Giuseppe

How to Convert time format?

chart

eval

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation