Hi all
I'm not sure if somebody already asked a question like mine.
How can I convert a field containing a duartion (not a timestamp!) in seconds into hours, minutes and seconds?
E.g.:
3855s --> 1h 4min 15s
Thanks
Simon
This is a smal and good solution.
| eval time=tostring(filed_with_seconds, "duration")
This will convert 134 to 00:02:14
Hi.
Followed instructions, build a query:
My_Search
|rename "nodes{}.hostname" as "Host Name"
|rename "nodes{}.uptime_seconds" as uptime_seconds
|eval UP_TIME = tostring(round(secs), "duration")
|eval UpTime = replace(UP_TIME,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|eval result=replace(UpTime, "^d (0h (0m )?)?","")
|table "Host Name", UpTime, "uptime_seconds"
-------------------------
In the result table I gut value in "uptime_second" field, but not "in UpTime"
UpTime field is empty.
Any sugestions?
Thank you in advance
|eval UP_TIME = tostring(round(secs), "duration")
should be
|eval UP_TIME = tostring(round(uptime_seconds), "duration")
Thank you.
There is an easier way! Assume that the field is named secs
yoursearchhere
| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
The resulting formatted string is called stringSecs
, although you could use the original field name in the last eval.
BTW I would leave off the last eval and see if that will work for you.
I realise this is getting a bit old, but in case it helps someone else (like this helped me!), I'll share my extension of this answer.
I wanted to include days in the result, and remove leading zeroes from terms, and leading terms if they were zero. This is my query:
| eval string_dur = tostring(round(secs), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval result=replace(formatted_dur, "^d (0h (0m )?)?","")
Sample results (including intermediate strings):
secs string_dur formatted_dur result
----------- ----------- --------------- ---------------
2.000 00:00:02 d 0h 0m 2s 2s
12.500 00:00:13 d 0h 0m 13s 13s
144.333 00:02:24 d 0h 2m 24s 2m 24s
1728.250 00:28:48 d 0h 28m 48s 28m 48s
20736.200 05:45:36 d 5h 45m 36s 5h 45m 36s
248832.167 2+21:07:12 2d 21h 7m 12s 2d 21h 7m 12s
2985984.143 34+13:26:24 34d 13h 26m 24s 34d 13h 26m 24s
Note that this does not work if numSecs=0, as tostring returns 00:00:00 and the regex does not match.
| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
add
| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs=case(stringSecs="00:00:00", "0+0:0:0", 0=0, stringSecs)
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
fixed it, not especially elegant...
this is awesome, thanks!
Use eval() and then try to convert into h:m:s
Broken link 😞
Hi @rijom
Could this be what you're looking for?
https://community.splunk.com/t5/Splunk-Search/How-to-convert-seconds-to-h-mm-ss/m-p/291666
Looks like the link is no longer working or never worked in the past (there isnt a splunk-base.splunk.com anymore it seams.
Simon -- Your macro: sla-sec2time(2) is that the name of your index source? I need the same, per the below, and currently have a Days Hours Minutes Seconds column! 😞 sigh.
For those who're interested, see my macro (macros.conf):
[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0
I think a macro will do it. Thanks for your answer!
Not that I am aware of. I guess you could create your own custom search command but i don't know how much easier this makes your searches. Probably not worth it.
http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/SearchScripts
Hi
Thanx, so far I've seen this post already which worked fine. I was wondering if there's a built-in function available in the meantime.