Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to convert values in sec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to convert values in seconds to days, hours, minutes, seconds, and milliseconds?
prashanthberam
Explorer
03-21-2017
09:50 AM
i have values with seconds so i need to convert those into days, hours, minutes, seconds, and milliseconds. i am using this search but am getting 1 day extra.
eval DurationReq_Resp=strftime(DurationReq_Resp, "%d day %Hh:%Mmin:%Ss.%3Nms")
Can you please help me in this?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-21-2017
11:39 AM
Like this:
eval DurationReq_Resp=tostring(DurationReq_Resp, "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-21-2017
10:40 AM
%d is the day of the month, so strftime might be getting confused. Try something like this:
| eval DurationReq_Resp=tostring(DurationReq_Resp,"DurationReq_Resp")
| eval DurationReq_RespMS=strftime(DurationReq_Resp,".%3N")
| rex field=DurationReq_Resp mode=sed "s/\+/ days /"
| rex field=DurationReq_Resp mode=sed "s/\d\:{1}/h:/"
| rex field=DurationReq_Resp mode=sed "s/\d\:{1}/min:/"
| rex field=DurationReq_Resp mode=sed "s/$/s/"
| rex field=DurationReq_RespMS mode=sed "s/$/Ms/"
| eval DurationReq_Resp=DurationReq_Resp+""+DurationReq_RespMS
it's a little lengthy, but i think it'll work for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-21-2017
10:25 AM
Any partial days count as days, and negative durations are errors, so you basically can't mix days and hour/min/second in the same strftime and get a valid result. Calculate the number of days separately and concatenate.
| eval DurationReq_Resp=floor(DurationReq_Resp/86400)." day ".strftime(DurationReq_Resp, "%Hh:%Mmin:%Ss.%3Nms")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prashanthberam
Explorer
03-21-2017
10:56 AM
i think we need to calculate the hours also in this same way..
Get Updates on the Splunk Community!
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Ready to master Kubernetes and cloud monitoring like the pros?
Join Splunk’s Growth Engineering team for an ...
Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know
To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...
October Community Champions: A Shoutout to Our Contributors!
As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...
