Splunk Search

How to convert time as DD:HH:MM:SS

Sp3ctre1
New Member

How can I convert 2+12:54:32 as 2:12:54:32 (2 days 12 hours 54 minutes 32 seconds)

Current search is this :

| eval duration_time= tostring(duration_time, "duration")
| eval formatted_dur = replace(duration_time,"(?:(\d+)+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")

Which produces attached screenshots.. When we are sorting from highest time --> to lowest time .. it puts days as the lowest in the sort.alt text

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try this:

... your root search ... 
| rex field=duration_time "(?<days>\d+)?\+?(?<hours>\d+):(?<minutes>\d+):(?<seconds>\d+)\.(?<micro>\d+)" 
| eval elapsed=86400*days+3600*hours+60*minutes+seconds 
| table elapsed duration_time 
| sort elapsed

If that looks good, add this to the end to remove the elapsed field:

| fields - elapsed
0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...