Splunk Search

How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

vchitrala
New Member

Hi

I have an interesting issue. My logs include format such as Day:Hour:Min:Sec. I need to strip out hour from logs and calculate the entire duration in seconds. How can I achieve it? I tried to include Day in calculation, but It's not working, so want to convert this to string and strip off day part.

More information:
I have a time format - 0:00:00:05
I was able to convert it to string - 00:00:05
eval time=strptime(test2,"%H:%M:%S") - gave me 1465275605.000000
I need to convert this to duration in seconds. - 5 seconds

This is my search string so far:

eval test = tostring(JobStepsExecutionDuration) | eval test2 = substr(test,3,8) | eval time=strptime(test2,"%H:%M:%S")
0 Karma
1 Solution

sundareshr
Legend

Have you tried one of these converions, specifically the dur2sec()

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/Convert

View solution in original post

Masa
Splunk Employee
Splunk Employee

Can you provide sample logs and example of what you're trying to do?

0 Karma

sundareshr
Legend

Have you tried one of these converions, specifically the dur2sec()

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/Convert

sundareshr
Legend

Convert it with rex...

| rex field=JobStepsExecutionDuration "(?<hh>\d+):(?<mm>\d+):(?<ms>\d+)" | eval dur = (hh * 3600) + (mm * 60) + dd | table JobStepsExecutionDuration dur
0 Karma

tcupp
New Member

Works great for my dashboard!

0 Karma

Masa
Splunk Employee
Splunk Employee

Maybe you want to add day information, too. Well, this person is not looking for the value...
Without dur2sec() function, this could be a solution.

0 Karma

vchitrala
New Member

there is no Day info.. I was able to get to epoc time... question is how can I convert epoc time to seconds...

field - 00:00:05
epoc - 16959+05:00:05.000000

seconds - 5 ?

0 Karma

vchitrala
New Member

It worked.. turned out to be far simpler than I thought...

eval  test = tostring(JobStepsExecutionDuration) |  eval test2 = substr(test,3,8) || convert dur2sec(test2)  As Durationseconds 
0 Karma

Masa
Splunk Employee
Splunk Employee

Great. We got confused with your question and what you're looking for.

So, the value is not Duration. It is date time information in epoch time in seconds.

Please keep in mind that the result will be changed tomorrow because the string is assuming date information.

vchitrala
New Member

Hi , I tried but it's not working out..
so want to strip off Day part and try to convert it to time in terms of HH:MM:SS

0 Karma

Masa
Splunk Employee
Splunk Employee

Maybe you can try to change format of the JobStepsExecustionDuration to meet dur2sec() requirement

<your search>  | rex field=JobStepsExecutionDuration mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(JobStepsExecutionDuration)

I tested this with the following search and it worked.

| stats count | eval JobStepsExecutionDuration="0:00:00:05" | rex field=JobStepsExecutionDuration mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(JobStepsExecutionDuration)
0 Karma

vchitrala
New Member
rex field=time mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(time) AS seconds 

I get seconds as

jobstepduration seconds I need
00:00:05 1465275605.000000 5
00:00:22 1465275622.000000 22

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...