Solved: Re: How to extract the duration in seconds from va...

HeinzWaescher · ‎05-18-2016

Hi,

I would like to extract the duration in seconds from values like these:
"2 dy 13 hr 49 min 13 sec"
"1 hr 49 min 41 sec"
"12 min 56 sec"

For constant values (e.g. with only min & sec) I would use:
"12 min 56 sec" -> | rex field="FieldA" "(?.*)\ (?.*)\ (?.*) (?.*)"

But as you can see, the format can be different. Is possible to convert these fields into a duration in seconds?

My idea would be to extract fields for each part of the value, for example:

"2 dy 13 hr 49 min 13 sec" into:

dy=2
hr=13
min=49
sec=13

But I don't know how to achieve this. Can you help me?

Thanks in advance
Heinz

sundareshr · ‎05-18-2016

Try this

.... | eval duration= replace(duration,"(\d*)+?(\d+):(\d+):(\d+)","\1dy \2hr \3min \4sec")

View solution in original post

sundareshr · ‎05-18-2016

Try this

.... | eval duration= replace(duration,"(\d*)+?(\d+):(\d+):(\d+)","\1dy \2hr \3min \4sec")

HeinzWaescher · ‎05-18-2016

Thanks for your suggestion. I'm not sure what is intended by this command, adding it just copies the field.

duration="14 hr 22 min 44 sec" -> new duration="14 hr 22 min 44 sec"

sundareshr · ‎05-19-2016

LOL. I clearly misunderstood your question. Here, I think I know now, what you are looking for. Try this runanywhere sample

| gentimes start=-1 | eval duration="49 min 13 sec" | rex field=duration "((?<dy>\d+)\sdy\s)?((?<hr>\d+)\shr\s)?((?<min>\d+)\smin\s)?((?<sec>\d+)\ssec)?" | eval dy=coalesce(dy, 0) | eval hr=coalesce(hr, 0) | eval min=coalesce(min, 0) | eval sec=coalesce(sec, 0) | eval duration=(dy*(3600*24)) + (hr*(3600)) + (min*60) + sec | eval dur=tostring(duration, "duration") | table dy hr min sec duration dur

HeinzWaescher · ‎05-19-2016

Awesome, this works fine 🙂
Thanks a lot

jmallorquin · ‎05-18-2016

Hi HeinzWasecher,

Have you try to use separate extractions like:

props.conf
EXTRACT-dias = \s(?<days>[^\s]+)\sdy
EXTRACT-horas = \s(?<hours>[^\s]+)\shr
...

And in the search make a fillnull of all the fields and make an eval with the calculation

|fillnull days hours .... value=0
| eval Totalsec = days*86400 + hours*3600 ....

Hope i help you

HeinzWaescher · ‎05-18-2016

Thanks for your answer. I'm using a csv with inputlookup here, so I think I have to do it at search time?

jmallorquin · ‎05-18-2016

Hi,

Yes. I that case it will be
| rex "\s(?[^\s]+)\sdy" |rex "\s(?[^\s]+)\shr" ....

Hope i help you

HeinzWaescher · ‎05-18-2016

This results in an error:

Error in 'rex' command: Encountered the following error while compiling the regex '\s(?[^\s]+)\sdy': Regex: unrecognized character after (? or (?-

jmallorquin · ‎05-19-2016

Hi,

Sorry I didn't quote and the command was malformed

The correct is :

| rex "\s(?<days>[^\s]+)\sdy" |rex "\s(?<hours>[^\s]+)\shr" ....<-- continue with the rest of the fields
|fillnull days hours .... value=0
| eval Totalsec = days*86400 + hours*3600 ....

How to extract the duration in seconds from values like "2 dy 13 hr 49 min 13 sec"

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...