Solved: how to extract time from a string time field?

matansocher · ‎04-29-2017

I have that field that shows time in a string. the values of the field are something like:

Is there a way to extract the number of hours for each one?
for example if I have value of 2 days I will get 16 hours (8 hours a day), and if I have 30 minutes value, I will get 0.5 hours.

Thank you

dineshraj9 · ‎04-29-2017

Create 3 new fields from this existing field and then calculate hours -

| rex field=<existing_field> "(?<DAYS>\d+)\s*Day"
| rex field=<existing_field> "(?<HOURS>\d+)\s*Hour"
| rex field=<existing_field> "(?<MINS>\d+)\s*Minute"
| eval FINAL_TIME=8*DAYS + HOURS + round(MINS/60,2)

View solution in original post

dineshraj9 · ‎04-29-2017

Create 3 new fields from this existing field and then calculate hours -

| rex field=<existing_field> "(?<DAYS>\d+)\s*Day"
| rex field=<existing_field> "(?<HOURS>\d+)\s*Hour"
| rex field=<existing_field> "(?<MINS>\d+)\s*Minute"
| eval FINAL_TIME=8*DAYS + HOURS + round(MINS/60,2)

matansocher · ‎04-29-2017

I think that might be really helpful for me, but I get no results in the FINAL_TIME field. I think it happens because the values does not contain days hours and minutes, only 1 or 2 of them on each value. I think I need to check if for example "Days" exists in the field and only then try to extract it. what is the best way to do it?
Thank you!

dineshraj9 · ‎05-02-2017

This will work -

   | rex field=<existing_field> "(?<DAYS>\d+)\s*Day"
    | rex field=<existing_field> "(?<HOURS>\d+)\s*Hour"
    | rex field=<existing_field> "(?<MINS>\d+)\s*Minute"
    | eval DAYS=if(isnull(DAYS),0,DAYS) | eval HOURS=if(isnull(HOURS),0,HOURS) | eval MINS=if(isnull(MINS),0,MINS) 
    | eval FINAL_TIME=8*DAYS + HOURS + round(MINS/60,2)

how to extract time from a string time field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life