- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert time stamp?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
How to convert the seconds in to days, hours, sec? Any suggestions ?
for eg:
I have a sec field to convert to "2 Day(s) 3 Hr. 12 Min. 5Sec."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kiran331
You can use the splunk tostring and diff functions to convert a number in seconds to a range of days, hours, minutes, and seconds.
tostring with the duration format will output the time as [days]+[hours]:[minutes]:[seconds] ie: 2+03:12:05. You can then use replace function of eval to format the output.
[your search]
| eval duration = tostring([your time in seconds], "duration")
| eval TimeRange=replace(duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 Day(s) \2 HR .\3 Min. \4 Sec.")
More information on tostring can be found
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConversionFunctions#tostring....
More information on Replace can be found
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/TextFunctions#replace.28X.2CY...
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kiran331
You can use the splunk tostring and diff functions to convert a number in seconds to a range of days, hours, minutes, and seconds.
tostring with the duration format will output the time as [days]+[hours]:[minutes]:[seconds] ie: 2+03:12:05. You can then use replace function of eval to format the output.
[your search]
| eval duration = tostring([your time in seconds], "duration")
| eval TimeRange=replace(duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 Day(s) \2 HR .\3 Min. \4 Sec.")
More information on tostring can be found
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConversionFunctions#tostring....
More information on Replace can be found
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/TextFunctions#replace.28X.2CY...
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! It worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kiran331, Something similar has been answered before.
1) Using reltime command you can get relative difference of _time as per current time. However, it will be precise only to the highest unit of time i.e. 2 days 3 hours 30 min 20 sec will become 2 days ago. First you need to adjust _time as now()-duration and then pipe reltime.
2) Using tostring(duration,"duration") and then followed by rex with sed or replace() function:
Following is a run anywhere search with both examples:
| makeresults
| eval duration=3645
| append
[| makeresults
| eval duration=84450]
| append
[| makeresults
| eval duration=163431]
| eval _time=now()-duration
| reltime
| rename reltime as durRelTime
| eval durDaysHHMMSS=tostring(duration,"duration")
| eval durDaysHHMMSS=replace(durDaysHHMMSS,"\+"," Day(s) ")
| eval durDaysHHMMSS=replace(durDaysHHMMSS,"(\d+):(\d+):(\d+)","\1 Hr. \2 Min. \3 Sec.")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use REX to split the field.
|rex field=text "(?<day>\d*)\sDay\(s\)\s(?<hr>\d*)\sHr\.\s(?<min>\d*)\sMin\.\s(?<sec>\d*)Sec.*"
|eval seconds=day*24*60*60+hr*60*60+min*60+sec
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
