Solved: Re: Parse duration in format `HH:MM:SS.NNNNNNN`

jberd126 · ‎11-02-2016

I'm struggling to convert a duration in format HH:MM:SS.NNNNNNN to seconds in a concise manner.

For example, 01:03:01.8231963 should convert to 97381.8231963 seconds.

The convert function dur2sec supports the format [D+]HH:MM:SS while the mstime function supports the format [MM:]SS.SSS however there isn't a single function to support my format.

I've come up with the following solution where cputime is the field I am trying to convert, however, it feels like there should be a simpler way.

| rex field=cputime "(?<cputime_s>\d+\:\d+\:\d+)(?<cputime_ms>\.\d+)" 
| convert dur2sec(cputime_s) 
| eval cputime_s=cputime_s+tonumber(cputime_ms)

somesoni2 · ‎11-02-2016

The string duration format doesn't support milliseconds. Try this workaround (replace line1 with your search)

| gentimes start=-1 | eval cputime ="01:03:02.123456" | table cputime  
| eval cputime_s =strptime(cputime ,"%H:%M:%S.%N")-relative_time(now(),"@d")

View solution in original post

somesoni2 · ‎11-02-2016

The string duration format doesn't support milliseconds. Try this workaround (replace line1 with your search)

| gentimes start=-1 | eval cputime ="01:03:02.123456" | table cputime  
| eval cputime_s =strptime(cputime ,"%H:%M:%S.%N")-relative_time(now(),"@d")

jberd126 · ‎11-02-2016

Thanks somesoni2.
I tried strptime and did find that it created an epoch timestamp however I didn't look further at backing that out with relative_time(). I also confirmed the documentation for now() function to ensure there was no possibility of time drift from strptime():

...returns the time that the search was started.

Parse duration in format `HH:MM:SS.NNNNNNN`

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation