Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to chnage "mmss" format strings to mm:ss format

K2
Engager
‎08-20-2020 12:33 AM

I have searched this but I have not found a suitable answer yet,

Here I have a field as below

time
"0"
"7"
"56"
"101"
"3045"
"7034"

These show a time stamp, 0 is 0 second, 56 is 56 seconds, 101 is 1m1s, 3045 is 30m45s.
I would like to transform these to mm:ss format,  so "0" would be "00:00", "101" would be "01:01". 

How I can do this? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-20-2020 12:48 AM

Hi @K2 ,


This should work if you only have 1-4 characters in the string. If it's more, you would have to extend the case statement.

| eval length=len(value) 
| eval timestamp=case(length=1,"00:0"+value,length=2,"00:"+value,length=3,"0"+substr(value,1,1)+":"+substr(value,2,2),length=4,substr(value,1,2)+":"+substr(value,3,2))
| fields - length


The input field is "value" in my case. I just saw that yours is called "time", looking at your table, so you will have to exchange "value" with "time" in the SPL...

Hope it helps

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-20-2020 12:48 AM

Hi @K2 ,


This should work if you only have 1-4 characters in the string. If it's more, you would have to extend the case statement.

| eval length=len(value) 
| eval timestamp=case(length=1,"00:0"+value,length=2,"00:"+value,length=3,"0"+substr(value,1,1)+":"+substr(value,2,2),length=4,substr(value,1,2)+":"+substr(value,3,2))
| fields - length


The input field is "value" in my case. I just saw that yours is called "time", looking at your table, so you will have to exchange "value" with "time" in the SPL...

Hope it helps

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Reply
Solved! Jump to solution

K2
Engager
‎08-20-2020 05:21 PM

Hi @rnowitzki ,

Thank you!! Amazing line works so good, I would like to give you my appreciation again.

Regards,
K2

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...