I need to convert a total number of seconds to a formatted time %H:%M:%S but as there is a couple of million seconds, obviuosly %H is way more than 24. This way, days are completly ignored and it gives me only the last fraction of hours as result.
For example, it converts 2716589 seconds to 10:36:29.
I do this:
| stats ... sum(time_each_event) as "total time" | convert timeformat="%H:%M:%S" ctime("total time")
I guess that the problem is the timeformat sentence. What I need is the big total of hours, including minutes and seconds of course, or else the number of days not to be ignored, that is 754:36:29 or 31d 10:36:29.
Like this :
... | eval "total time"=tostring($total time$,"duration")
output is like 31+10:36:29
which is a pretty standard way of representing durations in excess of 1 day in *nix
Note that the '$' around "total time" in the eval is needed because there's a space in the field we're operating on.
Update
Check the search below works for you. If not use total_time instead of "total time"
Version 5.0.1.
That works if I run it in the search app, exactly as you show, but it still doesn't work in my custom app. Look the search command at the job inspector:
... | eval Time_formatted=tostring(Time,"duration") | stats count as "Total", max(Time_formatted) AS "max", sum(Time) AS "total sum", mode(foo) as "most" | eval "total sum"=tostring(,"duration")
Note that the $total sum$ argument disappears for no reason. At inspector I get this debug message:
....'fatal': ['Error in \'eval\' command: The expression is malformed. An unexpected character is reached at \',"duration")\'.']}
what version of splunk? - updated answer
Not working, dude. "Job appears to be expired..."