Splunk Search
Highlighted

How to convert the output of tostring or convert a duration field?

Explorer

I have a search that returns the diff of two times, but the user wants it in "1 day 5 hours and 23 minutes" format not 00+00:00:00. I know regex can do this, but the possibility that the day value might not be present has me stumped. Any help appreciated.

0 Karma
Highlighted

Re: How to convert the output of tostring or convert a duration field?

SplunkTrust
SplunkTrust

Try something like this (run anywhere example)

| gentimes start=-1 | eval diff=round(now()-relative_time(now(),"-2h")) | table diff | eval duration=tostring(diff,"duration") | eval duration2=replace(duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs")

View solution in original post

Highlighted

Re: How to convert the output of tostring or convert a duration field?

Explorer

Perfect! Thanks much.

0 Karma
Highlighted

Re: How to convert the output of tostring or convert a duration field?

Engager

The following regex can be used to suppress any trailing substrings:

(\d*)\+*(\d+):(\d+):(\d+)(.*)
0 Karma