time lost duration format in a join search - Splunk Community

Splunk Search

I have a simple join search as follow,

index=portal bam="audit" event="userLogout" | stats median(secSessDur) as medDur | eval medDur = round(medDur) | fieldformat medDur = tostring(medDur,"duration") | join [search index=portal bam="audit" event="userLogout" | stats avg(secSessDur) as medDur2 | eval medDur2 = round(medDur2) | fieldformat medDur2 = tostring(medDur2,"duration") ]

it is supposed to rendered in a simpleresultstable like so:

medDur | medDur2
01:20:00 | 00:01:20

but it's rendering medDur2 w/o the duration format like so
medDur | medDur2
01:20:00 | 80

this is happening in both my report and the splunk search form. any help is appreciated. thx

Can you do it this way?

index=portal bam="audit" event="userLogout" | 
stats median(secSessDur) as medDur | 
eval medDur = round(medDur) | 
fieldformat medDur = tostring(medDur,"duration") | 
join [search index=portal bam="audit" event="userLogout" | 
stats avg(secSessDur) as medDur2 | 
eval medDur2 = round(medDur2) | fields medDur2 ] |
fieldformat medDur2 = tostring(medDur2,"duration")

I think this is a kludge, but it might work...

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...