I'm sure this may have been asked before. When using transaction, I would like to format the duration into H:M:S
, my search results for jobduration looks like 19 is being added to the result. Any help is appreciated.
Search is:
sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY" | transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY" | eval Date=strftime(_time, "%m-%d-%y") | eval JobDuration=strftime(duration, "%H:%M:%S") | table Date job_name JobDuration
Sample Results:
02-03-16 ELSHPCST 02:56:52
02-04-16 ELVALRTD 19:00:00
02-04-16 ELVALRTPE 19:00:00
02-04-16 ELVALOOS 19:00:00
02-04-16 ELVALRTD 19:00:00
02-04-16 ELVALRTPE 19:00:00
Use this instead:
| eval JobDuration = tostring(duration, "duration")
Use this instead:
| eval JobDuration = tostring(duration, "duration")
Sure - it is.
sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY"
| transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY"
| eval Date = strftime(_time, "%m-%d-%y")
| eval JobDuration = strftime(duration, "duration")
| table Date, job_name, JobDuration
Ok, I can see the problem.
I made a mistake when I copied and pasted your code.
Instead of strftime you have to use the tostring function for JobDuration.
That is:
| eval JobDuration = tostring(duration, "duration")
Let me know if that helps. I have already fixed my two answers below.
Perfect! Thanks for the help.
No worries. If this is resolved please remember to mark is as answered so that others can benefit from it in the future.
Thanks for the reply, using the above my results now include duration as a string. Any ideas?
02-05-16 ELINVPUB duration
02-05-16 ELLKPPARN duration
02-05-16 ELVALRTD duration
02-05-16 ELVALRTD duration
Errrm, that shouldn't be the case unless your duration field is not a valid duration.
Can you post your whole query here?
Based on your comments it should be something like:
sourcetype=tws_merged (job_cpu_name ="cclita*" OR job_cpu_name ="cplisa3*" OR job_cpu_name = "cpaisa*f" OR job_cpu_name="lp0d7*") job_stream_name!="UNIXDLY"
| transaction job_name host startswith"Jobman streamed" endswith="has completed SUCCESSFULLY"
| eval Date = strftime(_time, "%m-%d-%y")
| eval JobDuration = tostring(duration, "duration")
| table Date, job_name, JobDuration