Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert Duration field in sec to day Hr Min Sec?

Abhineet
Loves-to-Learn Everything
‎07-08-2022 04:43 AM

Base query:

index=jenkins* teamcenter
|search event_tag=job_event
|search build_url=*TC_Active*
|where isnotnull(job_duration)
|rex field=job_name "(?<app>[^\.]*)\/(?<repo>[^\.]*)\/(?<jobname>[^\.].*)"
|rex field=metadata.GIT_BRANCH_NAME "(?<branch>.*)"
|rex field=user "(?<user>[^\.]*)"
|search app="*" AND repo="*" AND jobname="*" AND branch="*" AND user="*"
| eval string_dur = tostring(round(job_duration), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|rename job_started_at AS DateTime app AS Repository branch AS Branch jobname AS JobName job_result AS Job_Result formatted_dur AS Job_Duration "stages{}.name" AS "Stage View" "stages{}.duration" AS Duration
|table DateTime Repository Branch JobName Job_Result Job_Duration "Stage View" Duration

Output: 

DateTime Repository Branch JobName Job_Result Job_Duration Stage View Duration

2022-07-07T11:47:39Z TeamCenter/TC_Active/TCUA_Builds release/ALM_TC15.5 AMAT_Key_Part_Family_Extraction SUCCESS d 0h 15m 35s
Preparation
Sonar Analysis
Build
Save Artifacts
108.817
419.698
15.819
376.698
2022-07-07T17:14:49Z TeamCenter/TC_Active/Portal release/ALM_TC15.5 com.amat.rac SUCCESS d 0h 25m 49s
Preparation
Sonar Analysis
Build
Save Artifacts
105.014
1309.388
29.486
101.647

 

Need to add another column in output "stage_duration" which will convert "Duration" field value in  "Day Hr Min Sec" format. 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2022 06:36 AM

Hi @Abhineet,

let me understand: you have a field, called "stage_duration" that contains a duration expressed in seconds and you want to rename it in "Duration" and display in format days, hours, minutes, seconds, is it correct?

Sorry but I don't understand why at the end of your servs you don't add:

| eval Duration=tostring(stage_duration,"duration")

Ciao.

Giuseppe

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 07:02 AM

Hi @gcusello 

We have field "Duration" in output sent previously as image.

Want to convert all  "Duration " field value into "day Hr Min Sec" format as field "Stage_Duration".

For single event we have multiple "Duration" field Value as per "Stage View" field mentioned in below mentioned sample output image.

Abhineet_0-1657288863765.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2022 07:16 AM

Hi @Abhineet,

viewing your screenshot, I see that Duration is a multivalue field so the tostring option doesn't run.

Ciao.

Giuseppe 

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 08:17 AM

Hi @gcusello 

That's correct, how we can format the value of "Duration" field in "HH:MM:SS" format?

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 05:07 AM

Formatted Output for query inserted as image.

Abhineet_0-1657282060041.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2022 05:07 AM

Hi @Abhineet,

why don't you use for these fields the "tostring" option that you already used?

Ciao.

Giuseppe

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-08-2022 05:10 AM

HI @gcusello 

That is not working as in single event have multiple stages and those stages duration need to format.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...