I'm trying to add a "Downtime" field to my table. The timestamp on the event isn't reliable because it is when the issue was reported, not when it began so I had to extract the time from another fiel...
See more...
I'm trying to add a "Downtime" field to my table. The timestamp on the event isn't reliable because it is when the issue was reported, not when it began so I had to extract the time from another field. This is a two-part question.
1. Is there a better, more simple way to get my "Downtime" variable.
rex field=issue ".+(?P<S_Time>\d{4})[Z]\s(?P<S_Date>\d{2}\s[A-Z][a-z]{2})" eval Issue_Began=S_Time. " ".S_Date." ".date_year ```Output ex - 0654 27 Feb 2023``` eval StartTime=strftime(strptime(Issue_Began, "%H%M %d %B %Y"), "%m/%d/%Y %H:%M") eval duration=now()-strptime(StartTime, "%m/%d/%Y %H:%M") eval duration=tostring(duration,"duration") rex field=duration "((?P<D>\d{1,2})\+)?(?P<H>\d{2}):(?P<M>\d{2})" ```Output ex - 1+05:16.51``` eval Downtime=D."D ".H."H ".M."M "
2. When a system is down for less than 24 hours, the Downtime field is blank, otherwise it will give me the expected result of "1D 05H 16M". How do I alter that eval to skip "D" if it is null? I'm assuming that's the issue because the field operates properly for all other events over 1 day long.
Answers to either question is greatly appreciated!