Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conver string to time duration.

marquiselee
Path Finder
‎10-10-2013 01:18 PM

Hi I have logs where the media length/duration is displayed in a non standard format. anyone think this can be converted into seconds? *In some cases duration is reported as 0 too.

#   MEDIA ID   Duration

1       69911   1h 50mn
2       74454   1h 9mn
3       69910   1mn 58s
4       69909   59s 221ms
5       74453   17mn 4s
6       74452   2h 13mn
7       74451   0
8       74450   56s 134ms
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2013 09:06 AM

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2013 09:06 AM

I'm not sure exactly what you want to convert the duration into. Something like this will put it in hh:mm:ss format. Or you could drop the tostring() call and just display the secs field.

| rex field=Duration "((?<Hrs>.*?)hr)?\s?((?<Mins>.*?)mn)?\s?((?<Sec>.*?)s)?" | fillnull value=0 | eval secs=(Hrs*3600)+Mins*60+Sec | eval Time=tostring(secs, "duration") | table Duration, Time
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎10-11-2013 11:22 AM

THANK YOU!!! this worked perfectly.

0 Karma
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎10-11-2013 07:01 AM

each mediaid is from a distinct xml log file that is indexed. I should note that duration is not from a transaction but rather from the xml file.

...| xmlkv | table "MEDIA ID" "Duration"

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-10-2013 02:13 PM

is this within a single event? And there are no timestamps, field extractions etc etc

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...