How can I convert 2+12:54:32 as 2:12:54:32 (2 days 12 hours 54 minutes 32 seconds)
Current search is this :
| eval duration_time= tostring(duration_time, "duration")
| eval formatted_dur = replace(duration_time,"(?:(\d+)+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
Which produces attached screenshots.. When we are sorting from highest time --> to lowest time .. it puts days as the lowest in the sort.
Try this:
... your root search ...
| rex field=duration_time "(?<days>\d+)?\+?(?<hours>\d+):(?<minutes>\d+):(?<seconds>\d+)\.(?<micro>\d+)"
| eval elapsed=86400*days+3600*hours+60*minutes+seconds
| table elapsed duration_time
| sort elapsed
If that looks good, add this to the end to remove the elapsed field:
| fields - elapsed