Solved: How to convert seconds to milliseconds by strippin...

raghul725 · ‎03-08-2023

Hello,

I am performing the following search to extract the time taken to upload

index=* my_search |rex "\[upload\] executed in (?<ut>\d+\w+)"

the above extracts values like 343ms, 8s30ms, 11s404ms

How would I extract the seconds portion, convert it into ms and add it to ms so that I can get the upload time always in ms please?

richgalloway · ‎03-08-2023

As with many things Splunk, there's probably more than one way to do that. I like rex for it. Use a regular expression to extract the s and ms values then use eval for the math.

index=* my_search
| rex "\[upload\] executed in (?<ut>\d+\w+)"
| rex field=ut "(?:(?<sec>\d+)s)?(?<ms>\d+)ms"
``` Convert null to zero ```
| eval sec = if(isnull(sec), 0, sec)
| eval ms = (sec*1000) + ms

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-08-2023

As with many things Splunk, there's probably more than one way to do that. I like rex for it. Use a regular expression to extract the s and ms values then use eval for the math.

index=* my_search
| rex "\[upload\] executed in (?<ut>\d+\w+)"
| rex field=ut "(?:(?<sec>\d+)s)?(?<ms>\d+)ms"
``` Convert null to zero ```
| eval sec = if(isnull(sec), 0, sec)
| eval ms = (sec*1000) + ms

---
If this reply helps you, Karma would be appreciated.

raghul725 · ‎03-09-2023

Brilliant thank you very much

How to convert seconds to milliseconds by stripping out seconds and then add it to milliseconds?

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?