Hi
I have an interesting issue. My logs include format such as Day:Hour:Min:Sec. I need to strip out hour from logs and calculate the entire duration in seconds. How can I achieve it? I tried to include Day in calculation, but It's not working, so want to convert this to string and strip off day part.
More information:
I have a time format - 0:00:00:05
I was able to convert it to string - 00:00:05
eval time=strptime(test2,"%H:%M:%S")
- gave me 1465275605.000000
I need to convert this to duration in seconds. - 5 seconds
This is my search string so far:
eval test = tostring(JobStepsExecutionDuration) | eval test2 = substr(test,3,8) | eval time=strptime(test2,"%H:%M:%S")
Have you tried one of these converions, specifically the dur2sec()
http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/Convert
Can you provide sample logs and example of what you're trying to do?
Have you tried one of these converions, specifically the dur2sec()
http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/Convert
Convert it with rex...
| rex field=JobStepsExecutionDuration "(?<hh>\d+):(?<mm>\d+):(?<ms>\d+)" | eval dur = (hh * 3600) + (mm * 60) + dd | table JobStepsExecutionDuration dur
Works great for my dashboard!
Maybe you want to add day information, too. Well, this person is not looking for the value...
Without dur2sec() function, this could be a solution.
there is no Day info.. I was able to get to epoc time... question is how can I convert epoc time to seconds...
field - 00:00:05
epoc - 16959+05:00:05.000000
seconds - 5 ?
It worked.. turned out to be far simpler than I thought...
eval test = tostring(JobStepsExecutionDuration) | eval test2 = substr(test,3,8) || convert dur2sec(test2) As Durationseconds
Great. We got confused with your question and what you're looking for.
So, the value is not Duration. It is date time information in epoch time in seconds.
Please keep in mind that the result will be changed tomorrow because the string is assuming date information.
Hi , I tried but it's not working out..
so want to strip off Day part and try to convert it to time in terms of HH:MM:SS
Maybe you can try to change format of the JobStepsExecustionDuration to meet dur2sec() requirement
<your search> | rex field=JobStepsExecutionDuration mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(JobStepsExecutionDuration)
I tested this with the following search and it worked.
| stats count | eval JobStepsExecutionDuration="0:00:00:05" | rex field=JobStepsExecutionDuration mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(JobStepsExecutionDuration)
rex field=time mode=sed "s/^([^:]+)(:)/\1+/" | convert dur2sec(time) AS seconds
I get seconds as
jobstepduration seconds I need
00:00:05 1465275605.000000 5
00:00:22 1465275622.000000 22