Hi.

Followed instructions, build a query:
My_Search
|rename "nodes{}.hostname" as "Host Name"
|rename "nodes{}.uptime_seconds" as uptime_seconds
|eval UP_TIME = tostring(round(secs), "duration")
|eval UpTime = replace(UP_TIME,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
|eval result=replace(UpTime, "^d (0h (0m )?)?","")
|table "Host Name", UpTime, "uptime_seconds" 
-------------------------
In the result table I gut value in "uptime_second" field, but not "in UpTime"
UpTime field is empty.

Any sugestions?

Thank you in advance

|eval UP_TIME = tostring(round(secs), "duration")

should be

|eval UP_TIME = tostring(round(uptime_seconds), "duration")

Thank you.

I realise this is getting a bit old, but in case it helps someone else (like this helped me!), I'll share my extension of this answer.

I wanted to include days in the result, and remove leading zeroes from terms, and leading terms if they were zero. This is my query:

| eval string_dur = tostring(round(secs), "duration") 
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval result=replace(formatted_dur, "^d (0h (0m )?)?","") 

Sample results (including intermediate strings):

secs         string_dur   formatted_dur    result
-----------  -----------  ---------------  ---------------
      2.000  00:00:02     d 0h 0m 2s       2s  
     12.500  00:00:13     d 0h 0m 13s      13s  
    144.333  00:02:24     d 0h 2m 24s      2m 24s  
   1728.250  00:28:48     d 0h 28m 48s     28m 48s  
  20736.200  05:45:36     d 5h 45m 36s     5h 45m 36s  
 248832.167  2+21:07:12   2d 21h 7m 12s    2d 21h 7m 12s  
2985984.143  34+13:26:24  34d 13h 26m 24s  34d 13h 26m 24s  

Note that this does not work if numSecs=0, as tostring returns 00:00:00 and the regex does not match.

| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")

add

| convert rmunit(secs) as numSecs
| eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs=case(stringSecs="00:00:00", "0+0:0:0", 0=0, stringSecs)
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")

fixed it, not especially elegant...

this is awesome, thanks!

Use eval() and then try to convert into h:m:s

Broken link 😞

Hi @rijom 

Could this be what you're looking for?

https://community.splunk.com/t5/Splunk-Search/How-to-convert-seconds-to-h-mm-ss/m-p/291666

Looks like the link is no longer working or never worked in the past (there isnt a splunk-base.splunk.com anymore it seams.

Simon -- Your macro: sla-sec2time(2) is that the name of your index source? I need the same, per the below, and currently have a Days Hours Minutes Seconds column! 😞 sigh.

For those who're interested, see my macro (macros.conf):

[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0

I think a macro will do it. Thanks for your answer!

Not that I am aware of. I guess you could create your own custom search command but i don't know how much easier this makes your searches. Probably not worth it.

http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/SearchScripts

Hi
Thanx, so far I've seen this post already which worked fine. I was wondering if there's a built-in function available in the meantime.