Solved: How to convert second to HH:MM:SS format in the e...

zliu · ‎02-16-2010

For example, 637 in second to 0:10:37 in the exported search result.

SK110176 · ‎05-28-2013

| eval field_in_hhmmss=tostring(field_in_secs, "duration")

field_in_hhmmss is the newly formatted field
field_in_secs is the field name whose values are in seconds

View solution in original post

SK110176 · ‎05-28-2013

| eval field_in_hhmmss=tostring(field_in_secs, "duration")

field_in_hhmmss is the newly formatted field
field_in_secs is the field name whose values are in seconds

jrodman · ‎07-11-2014

Thanks for the updated answer. I forget when we introduced this, but it was probably before 5.x.

smolcj · ‎12-05-2012

https://github.com/RubenOlsen/splunkcommands/tree/master/sec2time
working awesome
i strongly recommend this

jrodman · ‎02-19-2010

We have some conversion functions for converting an offset in seconds from the UNIX epoch to a human-readable datetime, such as from 1266394237 to Jan 3, 2009, 02:13:45 PST.

For your case of a duration in seconds to a human readable duration, we do not have any built-in facility in 4.0. In 4.1, the method will be |eval pretty_time=tostring(num_seconds, "duration") where num_seconds is an integer quantity of seconds or a decimal quantity of seconds and sub-seconds. This should get documented in Functions for Eval and Where. It will emit HH:MM:SS or DD+HH:MM:SS if over a day

See also SPL-25013

My simplistic method for 3.x which should also work in 4.0 was:splunk> search terms... |eval my_hours=seconds / 60 / 60| eval my_minutes = seconds / 60 - my_hours * 60 | eval my_seconds = seconds - my_hours * 60 * 60 - my_minutes * 60 | strcat my_hours ":" my_minutes ":" my_seconds my_time

This created a field called my_time with the string version.

RubenOlsen · ‎12-01-2011

I have created a custom search command which correctly returns :: - without getting stuck with the issues that strftime() and friend (i.e. ctime) can be plagued with.

Take a look at https://github.com/RubenOlsen/splunkcommands/tree/master/sec2time

V_at_Splunk · ‎02-17-2010

Use http://www.epochconverter.com/ or such to find some epoch time for a midnight. Say, 1266393600 is "Wed 17 Feb 2010 12:00:00 AM PST". Now, add your input of 637, getting 1266394237.

splunk search "* | head 1 | eval foo=1266394237 | convert timeformat=%H:%M:%S ctime(foo) | fields foo | fields - _*" -auth admin:changeme -preview 0

gives

foo
--------
00:10:37

Yes it's ugly, but it works! 😉

V_at_Splunk · ‎02-18-2010

To extract from a multivalue field, please see explanation here: http://answers.splunk.com/questions/285. Does that work for you, Splunker_J?

zliu · ‎02-18-2010

Thanks! In this case, foo is not a specific value, it is a field with many value in splunk's search results.

How to convert second to HH:MM:SS format in the exported search result?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)