Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Parse duration in format `HH:MM:SS.NNNNNNN`
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm struggling to convert a duration in format HH:MM:SS.NNNNNNN to seconds in a concise manner.
For example, 01:03:01.8231963 should convert to 97381.8231963 seconds.
The convert function dur2sec supports the format [D+]HH:MM:SS while the mstime function supports the format [MM:]SS.SSS however there isn't a single function to support my format.
I've come up with the following solution where cputime is the field I am trying to convert, however, it feels like there should be a simpler way.
| rex field=cputime "(?<cputime_s>\d+\:\d+\:\d+)(?<cputime_ms>\.\d+)"
| convert dur2sec(cputime_s)
| eval cputime_s=cputime_s+tonumber(cputime_ms)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The string duration format doesn't support milliseconds. Try this workaround (replace line1 with your search)
| gentimes start=-1 | eval cputime ="01:03:02.123456" | table cputime
| eval cputime_s =strptime(cputime ,"%H:%M:%S.%N")-relative_time(now(),"@d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The string duration format doesn't support milliseconds. Try this workaround (replace line1 with your search)
| gentimes start=-1 | eval cputime ="01:03:02.123456" | table cputime
| eval cputime_s =strptime(cputime ,"%H:%M:%S.%N")-relative_time(now(),"@d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2.
I tried strptime and did find that it created an epoch timestamp however I didn't look further at backing that out with relative_time(). I also confirmed the documentation for now() function to ensure there was no possibility of time drift from strptime():
...returns the time that the search was started.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
