Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to remove .000 from the end of a time field (HH:MM.000)?

chadman
Path Finder
‎08-11-2016 08:09 AM

I have a search that creates a time in HH:MM and looks like 04:34.000. How can I drop the .000 at the end of this? Here is the part of my search that gets the time.

| addinfo | eval duration=info_max_time-info_min_time | eval dur_formatted=tostring(duration, "duration") | eval HH:MM:SS=tostring('duration', "duration") | convert rmunit("duration") as numSecs  | eval "duration" = round('duration',0) | eval stringSecs2=tostring(numSecs,"duration") | eval "Total Time in HH:MM" = replace(stringSecs2,"(\d+)\:(\d+)\:(\d+)","\1:\2")
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-11-2016 08:15 AM

You could use rtrim to cut the last 3 digits

... | eval stringSecs2 = rtrim(stringSecs2,substr(stringSecs2,-3))

View solution in original post

Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎08-11-2016 08:26 AM

Would this work?

| eval "Total Time in HH:MM"=strptime("Total Time in HH:MM", "%H:%M")

"strptime(X,Y) This function takes a time represented by a string, X, and parses it into a timestamp using the format specified by Y. For a list and descriptions of format options, refer to the topic "Common time format variables". If timeStr is in the form, "11:59", this returns it as a timestamp:"

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-11-2016 08:15 AM

You could use rtrim to cut the last 3 digits

... | eval stringSecs2 = rtrim(stringSecs2,substr(stringSecs2,-3))

Reply
Solved! Jump to solution

chadman
Path Finder
‎08-11-2016 08:22 AM

That worked! thanks.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-11-2016 08:13 AM

Try this

| addinfo | eval duration=info_max_time-info_min_time | eval dur_formatted=tostring(round(duration, 0), "duration") | table duration dur_formatted
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎08-11-2016 08:22 AM

I could not get that to work. Were you say to replace what I had with that?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-11-2016 08:24 AM

Replace you search with what I had

0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎08-11-2016 08:27 AM

when I did that I get "no results found"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...