Splunk Search

How to convert seconds into hours, minutes and seconds?

Contributor

Hi all

How can I convert a field containing a duartion (not a timestamp!) in seconds into hours, minutes and seconds?
E.g.:

``````3855s --> 1h 4min 15s
``````

Thanks
Simon

Labels (2)

• stats

Tags (3)
1 Solution
Splunk Employee
Builder

This is a smal and good solution.

``| eval time=tostring(filed_with_seconds, "duration")``

This will convert 134 to 00:02:14

Tags (1)
Path Finder

Hi.

Followed instructions, build a query:
My_Search
|rename "nodes{}.hostname" as "Host Name"
|rename "nodes{}.uptime_seconds" as uptime_seconds
|eval UP_TIME = tostring(round(secs), "duration")
|eval UpTime = replace(UP_TIME,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|eval result=replace(UpTime, "^d (0h (0m )?)?","")
|table "Host Name", UpTime, "uptime_seconds"
-------------------------
In the result table I gut value in "uptime_second" field, but not "in UpTime"
UpTime field is empty.

Any sugestions?

SplunkTrust
``|eval UP_TIME = tostring(round(secs), "duration")``

should be

``|eval UP_TIME = tostring(round(uptime_seconds), "duration")``
Path Finder

Thank you.

Legend

There is an easier way! Assume that the field is named `secs`

``````yoursearchhere
| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
``````

The resulting formatted string is called `stringSecs`, although you could use the original field name in the last eval.
BTW I would leave off the last eval and see if that will work for you.

Engager

I realise this is getting a bit old, but in case it helps someone else (like this helped me!), I'll share my extension of this answer.

I wanted to include days in the result, and remove leading zeroes from terms, and leading terms if they were zero. This is my query:

``````| eval string_dur = tostring(round(secs), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval result=replace(formatted_dur, "^d (0h (0m )?)?","")
``````

Sample results (including intermediate strings):

``````secs         string_dur   formatted_dur    result
-----------  -----------  ---------------  ---------------
2.000  00:00:02     d 0h 0m 2s       2s
12.500  00:00:13     d 0h 0m 13s      13s
144.333  00:02:24     d 0h 2m 24s      2m 24s
1728.250  00:28:48     d 0h 28m 48s     28m 48s
20736.200  05:45:36     d 5h 45m 36s     5h 45m 36s
248832.167  2+21:07:12   2d 21h 7m 12s    2d 21h 7m 12s
2985984.143  34+13:26:24  34d 13h 26m 24s  34d 13h 26m 24s
``````
Path Finder

Note that this does not work if numSecs=0, as tostring returns 00:00:00 and the regex does not match.

``````| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
``````

``````| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs=case(stringSecs="00:00:00", "0+0:0:0", 0=0, stringSecs)
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
``````

fixed it, not especially elegant...

New Member

this is awesome, thanks!

Loves-to-Learn Lots

Use eval() and then try to convert into h:m:s

Splunk Employee
Explorer

Community Manager
Path Finder

Looks like the link is no longer working or never worked in the past (there isnt a splunk-base.splunk.com anymore it seams.

Path Finder

Simon -- Your macro: sla-sec2time(2) is that the name of your index source? I need the same, per the below, and currently have a Days Hours Minutes Seconds column! 😞 sigh.

Contributor

For those who're interested, see my macro (macros.conf):

``````[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor(\$seconds\$/24/3600) | eval sec2time_hours=floor((\$seconds\$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor((\$seconds\$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor(\$seconds\$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" \$output_field\$
iseval = 0
``````
Contributor

Splunk Employee

Not that I am aware of. I guess you could create your own custom search command but i don't know how much easier this makes your searches. Probably not worth it.

Contributor

Hi
Thanx, so far I've seen this post already which worked fine. I was wondering if there's a built-in function available in the meantime.

Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...