Splunk Search

How to convert second to HH:MM:SS format in the exported search result?

zliu
Splunk Employee
Splunk Employee

For example, 637 in second to 0:10:37 in the exported search result.

1 Solution

SK110176
Path Finder
| eval field_in_hhmmss=tostring(field_in_secs, "duration")

field_in_hhmmss is the newly formatted field
field_in_secs is the field name whose values are in seconds

View solution in original post

SK110176
Path Finder
| eval field_in_hhmmss=tostring(field_in_secs, "duration")

field_in_hhmmss is the newly formatted field
field_in_secs is the field name whose values are in seconds

jrodman
Splunk Employee
Splunk Employee

Thanks for the updated answer. I forget when we introduced this, but it was probably before 5.x.

0 Karma

smolcj
Builder

https://github.com/RubenOlsen/splunkcommands/tree/master/sec2time
working awesome
i strongly recommend this

0 Karma

jrodman
Splunk Employee
Splunk Employee

We have some conversion functions for converting an offset in seconds from the UNIX epoch to a human-readable datetime, such as from 1266394237 to Jan 3, 2009, 02:13:45 PST.

For your case of a duration in seconds to a human readable duration, we do not have any built-in facility in 4.0. In 4.1, the method will be |eval pretty_time=tostring(num_seconds, "duration") where num_seconds is an integer quantity of seconds or a decimal quantity of seconds and sub-seconds. This should get documented in Functions for Eval and Where. It will emit HH:MM:SS or DD+HH:MM:SS if over a day

See also SPL-25013

My simplistic method for 3.x which should also work in 4.0 was:splunk> search terms... |eval my_hours=seconds / 60 / 60| eval my_minutes = seconds / 60 - my_hours * 60 | eval my_seconds = seconds - my_hours * 60 * 60 - my_minutes * 60 | strcat my_hours ":" my_minutes ":" my_seconds my_time

This created a field called my_time with the string version.

RubenOlsen
Path Finder

I have created a custom search command which correctly returns :: - without getting stuck with the issues that strftime() and friend (i.e. ctime) can be plagued with.

Take a look at https://github.com/RubenOlsen/splunkcommands/tree/master/sec2time

V_at_Splunk
Splunk Employee
Splunk Employee

Use http://www.epochconverter.com/ or such to find some epoch time for a midnight. Say, 1266393600 is "Wed 17 Feb 2010 12:00:00 AM PST". Now, add your input of 637, getting 1266394237.

splunk search "* | head 1 | eval foo=1266394237 | convert timeformat=%H:%M:%S ctime(foo) | fields foo | fields - _*" -auth admin:changeme -preview 0

gives

foo
--------
00:10:37

Yes it's ugly, but it works! 😉

V_at_Splunk
Splunk Employee
Splunk Employee

To extract from a multivalue field, please see explanation here: http://answers.splunk.com/questions/285. Does that work for you, Splunker_J?

0 Karma

zliu
Splunk Employee
Splunk Employee

Thanks! In this case, foo is not a specific value, it is a field with many value in splunk's search results.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...