Splunk Search

Time convertion of big amount of seconds

javo
Explorer

I need to convert a total number of seconds to a formatted time %H:%M:%S but as there is a couple of million seconds, obviuosly %H is way more than 24. This way, days are completly ignored and it gives me only the last fraction of hours as result.
For example, it converts 2716589 seconds to 10:36:29.

I do this:

| stats ... sum(time_each_event) as "total time" | convert timeformat="%H:%M:%S" ctime("total time")

I guess that the problem is the timeformat sentence. What I need is the big total of hours, including minutes and seconds of course, or else the number of days not to be ignored, that is 754:36:29 or 31d 10:36:29.

Tags (2)

jonuwz
Influencer

Like this :

... | eval "total time"=tostring($total time$,"duration")

output is like 31+10:36:29 which is a pretty standard way of representing durations in excess of 1 day in *nix

Note that the '$' around "total time" in the eval is needed because there's a space in the field we're operating on.

Update

Check the search below works for you. If not use total_time instead of "total time"

alt text

javo
Explorer

Version 5.0.1.
That works if I run it in the search app, exactly as you show, but it still doesn't work in my custom app. Look the search command at the job inspector:

... | eval Time_formatted=tostring(Time,"duration") | stats count as "Total", max(Time_formatted) AS "max", sum(Time) AS "total sum", mode(foo) as "most" | eval "total sum"=tostring(,"duration")

Note that the $total sum$ argument disappears for no reason. At inspector I get this debug message:

....'fatal': ['Error in \'eval\' command: The expression is malformed. An unexpected character is reached at \',"duration")\'.']}

0 Karma

jonuwz
Influencer

what version of splunk? - updated answer

0 Karma

javo
Explorer

Not working, dude. "Job appears to be expired..."

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...