Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time convertion of big amount of seconds

javo
Explorer
‎01-21-2013 12:47 PM

I need to convert a total number of seconds to a formatted time %H:%M:%S but as there is a couple of million seconds, obviuosly %H is way more than 24. This way, days are completly ignored and it gives me only the last fraction of hours as result.
For example, it converts 2716589 seconds to 10:36:29.

I do this:

| stats ... sum(time_each_event) as "total time" | convert timeformat="%H:%M:%S" ctime("total time")

I guess that the problem is the timeformat sentence. What I need is the big total of hours, including minutes and seconds of course, or else the number of days not to be ignored, that is 754:36:29 or 31d 10:36:29.

Tags (2)
Reply

jonuwz
Influencer
‎01-21-2013 01:02 PM

Like this :

... | eval "total time"=tostring($total time$,"duration")

output is like 31+10:36:29 which is a pretty standard way of representing durations in excess of 1 day in *nix

Note that the '$' around "total time" in the eval is needed because there's a space in the field we're operating on.

Update

Check the search below works for you. If not use total_time instead of "total time"

alt text

Reply

javo
Explorer
‎01-24-2013 07:36 AM

Version 5.0.1.
That works if I run it in the search app, exactly as you show, but it still doesn't work in my custom app. Look the search command at the job inspector:

... | eval Time_formatted=tostring(Time,"duration") | stats count as "Total", max(Time_formatted) AS "max", sum(Time) AS "total sum", mode(foo) as "most" | eval "total sum"=tostring(,"duration")

Note that the $total sum$ argument disappears for no reason. At inspector I get this debug message:

....'fatal': ['Error in \'eval\' command: The expression is malformed. An unexpected character is reached at \',"duration")\'.']}

0 Karma
Reply

jonuwz
Influencer
‎01-22-2013 12:17 AM

what version of splunk? - updated answer

0 Karma
Reply

javo
Explorer
‎01-21-2013 01:27 PM

Not working, dude. "Job appears to be expired..."

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...