Splunk Search

How to edit my search to convert values in seconds to days, hours, minutes, seconds, and milliseconds?

prashanthberam
Explorer

i have values with seconds so i need to convert those into days, hours, minutes, seconds, and milliseconds. i am using this search but am getting 1 day extra.

eval DurationReq_Resp=strftime(DurationReq_Resp, "%d day %Hh:%Mmin:%Ss.%3Nms")

Can you please help me in this?
Thanks.

0 Karma

woodcock
Esteemed Legend

Like this:

eval DurationReq_Resp=tostring(DurationReq_Resp, "duration")
0 Karma

cmerriman
Super Champion

%d is the day of the month, so strftime might be getting confused. Try something like this:

| eval DurationReq_Resp=tostring(DurationReq_Resp,"DurationReq_Resp") 
| eval DurationReq_RespMS=strftime(DurationReq_Resp,".%3N") 
| rex field=DurationReq_Resp mode=sed "s/\+/ days /" 
| rex field=DurationReq_Resp mode=sed "s/\d\:{1}/h:/" 
| rex field=DurationReq_Resp mode=sed "s/\d\:{1}/min:/" 
| rex field=DurationReq_Resp mode=sed "s/$/s/" 
| rex field=DurationReq_RespMS mode=sed "s/$/Ms/" 
| eval DurationReq_Resp=DurationReq_Resp+""+DurationReq_RespMS

it's a little lengthy, but i think it'll work for you.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Any partial days count as days, and negative durations are errors, so you basically can't mix days and hour/min/second in the same strftime and get a valid result. Calculate the number of days separately and concatenate.

| eval DurationReq_Resp=floor(DurationReq_Resp/86400)." day ".strftime(DurationReq_Resp, "%Hh:%Mmin:%Ss.%3Nms")
0 Karma

prashanthberam
Explorer

i think we need to calculate the hours also in this same way..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...