Solved: Conver string to time duration.

marquiselee · ‎10-10-2013

Hi I have logs where the media length/duration is displayed in a non standard format. anyone think this can be converted into seconds? *In some cases duration is reported as 0 too.

#   MEDIA ID   Duration

1       69911   1h 50mn
2       74454   1h 9mn
3       69910   1mn 58s
4       69909   59s 221ms
5       74453   17mn 4s
6       74452   2h 13mn
7       74451   0
8       74450   56s 134ms

richgalloway · ‎10-11-2013

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-11-2013

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time

---
If this reply helps you, Karma would be appreciated.

marquiselee · ‎10-11-2013

THANK YOU!!! this worked perfectly.

marquiselee · ‎10-11-2013

each mediaid is from a distinct xml log file that is indexed. I should note that duration is not from a transaction but rather from the xml file.

...| xmlkv | table "MEDIA ID" "Duration"

kristian_kolb · ‎10-10-2013

is this within a single event? And there are no timestamps, field extractions etc etc

Conver string to time duration.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life