Splunk Search

How to convert seconds into hours, minutes and seconds?

Simon
Contributor

Hi all

I'm not sure if somebody already asked a question like mine.
How can I convert a field containing a duartion (not a timestamp!) in seconds into hours, minutes and seconds?
E.g.:

3855s --> 1h 4min 15s

Thanks
Simon

Labels (2)
Tags (3)
1 Solution

jotne
Communicator

This is a smal and good solution.

| eval time=tostring(filed_with_seconds, "duration")

 

This will convert 134 to 00:02:14

Tags (1)

bigll
Explorer

Hi.

Followed instructions, build a query:
My_Search
|rename "nodes{}.hostname" as "Host Name"
|rename "nodes{}.uptime_seconds" as uptime_seconds
|eval UP_TIME = tostring(round(secs), "duration")
|eval UpTime = replace(UP_TIME,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|eval result=replace(UpTime, "^d (0h (0m )?)?","")
|table "Host Name", UpTime, "uptime_seconds" 
-------------------------
In the result table I gut value in "uptime_second" field, but not "in UpTime"
UpTime field is empty.

Any sugestions?

Thank you in advance

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
|eval UP_TIME = tostring(round(secs), "duration")

should be

|eval UP_TIME = tostring(round(uptime_seconds), "duration")

bigll
Explorer

Thank you.

0 Karma

lguinn2
Legend

There is an easier way! Assume that the field is named secs

yoursearchhere
| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")

The resulting formatted string is called stringSecs, although you could use the original field name in the last eval.
BTW I would leave off the last eval and see if that will work for you.

tallpaulf
Engager

I realise this is getting a bit old, but in case it helps someone else (like this helped me!), I'll share my extension of this answer.

I wanted to include days in the result, and remove leading zeroes from terms, and leading terms if they were zero. This is my query:

| eval string_dur = tostring(round(secs), "duration") 
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval result=replace(formatted_dur, "^d (0h (0m )?)?","") 

Sample results (including intermediate strings):

secs         string_dur   formatted_dur    result
-----------  -----------  ---------------  ---------------
      2.000  00:00:02     d 0h 0m 2s       2s  
     12.500  00:00:13     d 0h 0m 13s      13s  
    144.333  00:02:24     d 0h 2m 24s      2m 24s  
   1728.250  00:28:48     d 0h 28m 48s     28m 48s  
  20736.200  05:45:36     d 5h 45m 36s     5h 45m 36s  
 248832.167  2+21:07:12   2d 21h 7m 12s    2d 21h 7m 12s  
2985984.143  34+13:26:24  34d 13h 26m 24s  34d 13h 26m 24s  

andygerber
Path Finder

Note that this does not work if numSecs=0, as tostring returns 00:00:00 and the regex does not match.

| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")

add

| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs=case(stringSecs="00:00:00", "0+0:0:0", 0=0, stringSecs)
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")

fixed it, not especially elegant...

0 Karma

mrickert91
New Member

this is awesome, thanks!

0 Karma

sheshanath
Loves-to-Learn Lots

Use eval() and then try to convert into h:m:s

0 Karma

rijom
Explorer

Broken link 😞

0 Karma

yeasuh
Community Manager
Community Manager

Hi @rijom 

Could this be what you're looking for?

https://community.splunk.com/t5/Splunk-Search/How-to-convert-seconds-to-h-mm-ss/m-p/291666

Thank you so much!
0 Karma

cmeisch
Path Finder

Looks like the link is no longer working or never worked in the past (there isnt a splunk-base.splunk.com anymore it seams.

0 Karma

Xe03kfp
Path Finder

Simon -- Your macro: sla-sec2time(2) is that the name of your index source? I need the same, per the below, and currently have a Days Hours Minutes Seconds column! 😞 sigh.

0 Karma

Simon
Contributor

For those who're interested, see my macro (macros.conf):

[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0

Simon
Contributor

I think a macro will do it. Thanks for your answer!

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Not that I am aware of. I guess you could create your own custom search command but i don't know how much easier this makes your searches. Probably not worth it.

http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/SearchScripts

0 Karma

Simon
Contributor

Hi
Thanx, so far I've seen this post already which worked fine. I was wondering if there's a built-in function available in the meantime.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...