Solved: Trying to dur2sec a HH field that is more than 24H

wweiland · ‎10-09-2013

I'm trying to dur2sec a hour field that is more than 24H and therefore doesn't work. Anyone have any suggestions on how I can get the seconds out of this type of HH:MM:SS?

Below is a sample output showing that below 24H works fine, everything above fails.

walltime wall
24:00:03

23:59:46 86386

kristian_kolb · ‎10-09-2013

You can do it manually;

blah blah | rex field=your_time_field "(?<HH>\d+):(?<MM>\d+):(?<SS>\d+)" | eval dur = (HH * 3600) + (MM * 60) + SS | table your_time_field dur

/K

View solution in original post

sowings · ‎10-09-2013

I think dur2sec might be aimed at something like a sendmail (x)delay field, where values over 24 hours are converted to days+HH:MM:SS. I'd go with @kristian.kolb 's solution shown below.

kristian_kolb · ‎10-09-2013

You can do it manually;

blah blah | rex field=your_time_field "(?<HH>\d+):(?<MM>\d+):(?<SS>\d+)" | eval dur = (HH * 3600) + (MM * 60) + SS | table your_time_field dur

/K

wweiland · ‎10-09-2013

Thank you for your help!

wrighke · ‎07-31-2019

Just want to add, if your timestamp included milliseconds, you can use:

| rex field=diff "(?\d+):(?\d+):(?\d+).(?\d+)"
| eval dur = (HH * 3600) + (MM * 60) + SS + (MS / 1000000)

my timestamp had 6 decimal places for ms, so I divide ms by 1,000,000

Trying to dur2sec a HH field that is more than 24H

Tips & Tricks When Using Ingest Actions

Announcing Our Splunk MVPs

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!