Solved: When using the transaction command, how do I forma...

clarksinthehill · ‎02-04-2016

I'm sure this may have been asked before. When using transaction, I would like to format the duration into H:M:S, my search results for jobduration looks like 19 is being added to the result. Any help is appreciated.

Search is:

sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" | transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" | eval Date=strftime(_time, "%m-%d-%y") | eval JobDuration=strftime(duration, "%H:%M:%S") | table Date job_name JobDuration

Sample Results:

02-03-16    ELSHPCST    02:56:52
02-04-16    ELVALRTD    19:00:00
02-04-16    ELVALRTPE   19:00:00
02-04-16    ELVALOOS    19:00:00
02-04-16    ELVALRTD    19:00:00
02-04-16    ELVALRTPE   19:00:00

javiergn · ‎02-04-2016

Use this instead:

| eval JobDuration = tostring(duration, "duration")

View solution in original post

javiergn · ‎02-04-2016

Use this instead:

| eval JobDuration = tostring(duration, "duration")

clarksinthehill · ‎02-05-2016

Sure - it is.

sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" 
 | transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" 
 | eval Date = strftime(_time, "%m-%d-%y") 
 | eval JobDuration = strftime(duration, "duration")
 | table Date, job_name,  JobDuration

javiergn · ‎02-08-2016

Ok, I can see the problem.
I made a mistake when I copied and pasted your code.

Instead of strftime you have to use the tostring function for JobDuration.

That is:

| eval JobDuration = tostring(duration, "duration")

Let me know if that helps. I have already fixed my two answers below.

clarksinthehill · ‎02-08-2016

Perfect! Thanks for the help.

javiergn · ‎02-08-2016

No worries. If this is resolved please remember to mark is as answered so that others can benefit from it in the future.

clarksinthehill · ‎02-05-2016

Thanks for the reply, using the above my results now include duration as a string. Any ideas?

02-05-16 ELINVPUB duration
02-05-16 ELLKPPARN duration
02-05-16 ELVALRTD duration
02-05-16 ELVALRTD duration

javiergn · ‎02-05-2016

Errrm, that shouldn't be the case unless your duration field is not a valid duration.
Can you post your whole query here?
Based on your comments it should be something like:

sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" 
| transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" 
| eval Date = strftime(_time, "%m-%d-%y") 
| eval JobDuration = tostring(duration, "duration")
| table Date, job_name,  JobDuration

When using the transaction command, how do I format the duration into H:M:S?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Are you a member of the Splunk Community?

When using the transaction command, how do I format the duration into H:M:S?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1