Splunk Search

How to edit my search to convert values in seconds to days, hours, minutes, seconds, and milliseconds?


i have values with seconds so i need to convert those into days, hours, minutes, seconds, and milliseconds. i am using this search but am getting 1 day extra.

eval DurationReq_Resp=strftime(DurationReq_Resp, "%d day %Hh:%Mmin:%Ss.%3Nms")

Can you please help me in this?

0 Karma

Esteemed Legend

Like this:

eval DurationReq_Resp=tostring(DurationReq_Resp, "duration")
0 Karma

Super Champion

%d is the day of the month, so strftime might be getting confused. Try something like this:

| eval DurationReq_Resp=tostring(DurationReq_Resp,"DurationReq_Resp") 
| eval DurationReq_RespMS=strftime(DurationReq_Resp,".%3N") 
| rex field=DurationReq_Resp mode=sed "s/\+/ days /" 
| rex field=DurationReq_Resp mode=sed "s/\d\:{1}/h:/" 
| rex field=DurationReq_Resp mode=sed "s/\d\:{1}/min:/" 
| rex field=DurationReq_Resp mode=sed "s/$/s/" 
| rex field=DurationReq_RespMS mode=sed "s/$/Ms/" 
| eval DurationReq_Resp=DurationReq_Resp+""+DurationReq_RespMS

it's a little lengthy, but i think it'll work for you.

0 Karma


Any partial days count as days, and negative durations are errors, so you basically can't mix days and hour/min/second in the same strftime and get a valid result. Calculate the number of days separately and concatenate.

| eval DurationReq_Resp=floor(DurationReq_Resp/86400)." day ".strftime(DurationReq_Resp, "%Hh:%Mmin:%Ss.%3Nms")
0 Karma


i think we need to calculate the hours also in this same way..

0 Karma