Solved: How to transform a field into a time format?

skoelpin · ‎09-18-2015

I extracted deployment time from events and it's currently in this format 0:04.645 and 1:30.123 and is in terms of Minutes, Seconds, Milliseconds. I need to sum this time up every day and graph it.

How can I put this in a time format in seconds?

Example:

0:04.645
1:30.123

sum = 94.768 seconds

bmacias84 · ‎09-18-2015

Use the strptime command.

... |eval atime=strptime(fieldname, "%M:%S.%3N")

View solution in original post

woodcock · ‎09-18-2015

You need the tostring like this:

...  | rex field=field1 "(?<H>.*?))?:?((?<M>.*?))?:?(?<S>.*?)" | fillnull value=0 | eval onlySeconds1 =  S + 60*(M + 60*H) | rex field=field2 "(?<H>.*?))?:?((?<M>.*?))?:?(?<S>.*?)" | fillnull value=0 | eval onlySeconds2 =  S + 60*(M + 60*H) | eval =sumSeconds = onlySeconds1 + onlySeconds2 | eval sumTime = tostring(sumSeconds, "duration")

bmacias84 · ‎09-18-2015

Use the strptime command.

... |eval atime=strptime(fieldname, "%M:%S.%3N")

woodcock · ‎08-12-2016

Does this really work? First of all, it is not syntactically correct (missing eval). Secondly it generates a time_t, not a duration.

How to transform a field into a time format?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor