Splunk Search
Highlighted

How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

New Member

Hi

I have an interesting issue. My logs include format such as Day:Hour:Min:Sec. I need to strip out hour from logs and calculate the entire duration in seconds. How can I achieve it? I tried to include Day in calculation, but It's not working, so want to convert this to string and strip off day part.

More information:
I have a time format - 0:00:00:05
I was able to convert it to string - 00:00:05
eval time=strptime(test2,"%H:%M:%S") - gave me 1465275605.000000
I need to convert this to duration in seconds. - 5 seconds

This is my search string so far:

eval test = tostring(JobStepsExecutionDuration) | eval test2 = substr(test,3,8) | eval time=strptime(test2,"%H:%M:%S")
0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

Legend

Have you tried one of these converions, specifically the dur2sec()

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/Convert

View solution in original post

Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

New Member

Hi , I tried but it's not working out..
so want to strip off Day part and try to convert it to time in terms of HH:MM:SS

0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

Splunk Employee
Splunk Employee

Maybe you can try to change format of the JobStepsExecustionDuration to meet dur2sec() requirement

<your search>  | rex field=JobStepsExecutionDuration mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(JobStepsExecutionDuration)

I tested this with the following search and it worked.

| stats count | eval JobStepsExecutionDuration="0:00:00:05" | rex field=JobStepsExecutionDuration mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(JobStepsExecutionDuration)
0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

New Member
rex field=time mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(time) AS seconds 

I get seconds as

jobstepduration seconds I need
00:00:05 1465275605.000000 5
00:00:22 1465275622.000000 22

0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

Legend

Convert it with rex...

| rex field=JobStepsExecutionDuration "(?<hh>\d+):(?<mm>\d+):(?<ms>\d+)" | eval dur = (hh * 3600) + (mm * 60) + dd | table JobStepsExecutionDuration dur
0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

Splunk Employee
Splunk Employee

Maybe you want to add day information, too. Well, this person is not looking for the value...
Without dur2sec() function, this could be a solution.

0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

New Member

there is no Day info.. I was able to get to epoc time... question is how can I convert epoc time to seconds...

field - 00:00:05
epoc - 16959+05:00:05.000000

seconds - 5 ?

0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

New Member

It worked.. turned out to be far simpler than I thought...

eval  test = tostring(JobStepsExecutionDuration) |  eval test2 = substr(test,3,8) || convert dur2sec(test2)  As Durationseconds 
0 Karma
Highlighted

Re: How to convert time format 0:00:00:00 into a string and later to time to calculate duration in seconds?

Splunk Employee
Splunk Employee

Great. We got confused with your question and what you're looking for.

So, the value is not Duration. It is date time information in epoch time in seconds.

Please keep in mind that the result will be changed tomorrow because the string is assuming date information.