Splunk Search

duration to seconds

tmarlette
Motivator

I'm attempting to turn the duration of a process in the PS data into just seconds so I can sort appropriately and find the longest running processes for a single host. All of the data is being generated using the Splunk_TA_nix add-on.

IN this case, the problem seems to be when processes run for longer than 24 hours. The format comes out like this: 1-05:51:38
which I assume splunk is looking for a '+' instead of a '-' for the day count.

here's my current query:

index=nix sourcetype=ps 
| convert dur2sec(ELAPSED) as runTime
| stats avg(pctCPU) as CPU avg(pctMEM) as MEM by host pid runTime
| sort - runTime
| eval runTime=tostring(runTime, "duration")

This gives me an output that looks like this:
alt text

If I am to remove all of the conversion syntax, I get entries like this:

alt text

buuuuuttt, I can't sort on it because splunk doesn't recognize this as a field to sort ascending/descending.

Is there a way to do sort this field, or change it to seconds properly somehow?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

You Could do something like this...

|makeresults 
| eval ELAPSED="1-05:00:04 01:23:45 53:21 :17"
| makemv ELAPSED
| mvexpand ELAPSED
| rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)"
| eval runtime=86400*Coalesce(ElapsedDays,0) + 3600*Coalesce(ElapsedHours,0) + 60*Coalesce(ElapsedMinutes,0) + 1*Coalesce(ElapsedSeconds,0)

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

You Could do something like this...

|makeresults 
| eval ELAPSED="1-05:00:04 01:23:45 53:21 :17"
| makemv ELAPSED
| mvexpand ELAPSED
| rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)"
| eval runtime=86400*Coalesce(ElapsedDays,0) + 3600*Coalesce(ElapsedHours,0) + 60*Coalesce(ElapsedMinutes,0) + 1*Coalesce(ElapsedSeconds,0)

woodcock
Esteemed Legend

Exactly how I would have done it, but inside of a macro.

DalJeanis
SplunkTrust
SplunkTrust

@woodcock - what, and make it repeatable and modular? Where's the fun in that? I'd much rather code it
from scratch every single time... zzzzz... huh, what was I saying?

Would you do it with two parameters, the input field and output field, while allowing them to be the same if desired?

Of course you would. And the intermediate rex-extract fields would probably be some set of characters that were meaningful but highly unlikely to exist in natural code. I've seen you use l33t for that purpose before, or just for fun.

0 Karma

tmarlette
Motivator

I tried this, and it does work. The only catch is that my search is exceptionally slow due to the |mv commands I suspect. more tinkering....

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@tmarlette - sorry I didn't mark it for you - you only need lines 5 and 6. 1 thru 4 were to create test data.

0 Karma

tmarlette
Motivator

yeah, I caught that. It woks fine, it's just pretty slow on my search head is all. Thanks for the help!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@tmarlette - Hmmm. I don't see anything in that that should take very long.

Okay, there's a possibility that because of the question marks the rex is doing a little extra work backing up. Let's anchor the right side of the field and see if that cuts the time.

 | rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)$"
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...