How do i split a specific date format using rex fi...

umithchada · ‎12-05-2023

Hello Team,

I have the specific data:

1-10:20:30 (This stands for 1 day 10 hours 20 minutes 30 seconds)

10:20:30 (This stands for 10 hours 20 minutes 30 seconds)

20:30 (This stands for 10 hours 20 minutes 30 seconds)

I would like to create a table where I get the output in seconds

ELAPSED | seconds_elapsed

1-10:20:30 | 123630

10:20:30 | 37230

20:30 | 1230

Below is the rex format i am using to get this data. But for the last entry (20:30), i am getting an empty output. Is there a way to fix this?

| rex field=ELAPSED "((?<dd>\d+)\-?)((?<hh>\d+)\:?)((?<mm>\d+)\:)?(?<ss>\d+)$"
| eval elapsed_secs=(dd * 86400) + (hh * 3600) + (mm * 60) + (ss*1)
| table ELAPSED seconds_elapsed _time

gcusello · ‎12-05-2023

Hi @umithchada ,

please try this:

| rex field=ELAPSED "(?<dd>\d*)\-?(?<hh>\d*)\:?(?<mm>\d*)\:?(?<ss>\d*)$"
| eval elapsed_secs=(dd * 86400) + (hh * 3600) + (mm * 60) + (ss*1)
| table ELAPSED seconds_elapsed _time

You can test the regex at https://regex101.com/r/VfyG4S/1

Ciao.

Giuseppe

umithchada · ‎12-06-2023

Hello,

Unfortunately this is giving me blank entries if the duration is under a day.

We figured it out, and this logic seems to be working:

| rex field=ELAPSED  "((?<dd>\d*)-?)?((?<hh>\d+):?)?((?<mm>\d*):?)?(?<ss>\d+)$"
| rex field=ELAPSED  "((?<hhh>\d+):?)?((?<mmm>\d*):?)?(?<sss>\d+)$"
| rex field=ELAPSED "((?<mmmm>\d*):?)?(?<ssss>\d+)$"
| eval dd=If(isnotnull(hh),dd,0)
| eval hhh=If('mm'='mmm',hhh,0)
| eval mm=If('ss'='ssss',mmmm,0)
| eval elapsed_secs = coalesce((if(isnotnull(dd),dd,0)*86400)+(if(isnotnull(hh),hh,0)*3600)+(if(isnotnull(mm),mm,0)*60)+if(isnotnull(ss),ss,0),0)
| table ELAPSED elapsed_secs

How do i split a specific date format using rex field

search

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud