Solved: duration to seconds

tmarlette · ‎09-01-2017

I'm attempting to turn the duration of a process in the PS data into just seconds so I can sort appropriately and find the longest running processes for a single host. All of the data is being generated using the Splunk_TA_nix add-on.

IN this case, the problem seems to be when processes run for longer than 24 hours. The format comes out like this: 1-05:51:38
which I assume splunk is looking for a '+' instead of a '-' for the day count.

here's my current query:

index=nix sourcetype=ps 
| convert dur2sec(ELAPSED) as runTime
| stats avg(pctCPU) as CPU avg(pctMEM) as MEM by host pid runTime
| sort - runTime
| eval runTime=tostring(runTime, "duration")

This gives me an output that looks like this:

If I am to remove all of the conversion syntax, I get entries like this:

buuuuuttt, I can't sort on it because splunk doesn't recognize this as a field to sort ascending/descending.

Is there a way to do sort this field, or change it to seconds properly somehow?

DalJeanis · ‎09-01-2017

You Could do something like this...

|makeresults 
| eval ELAPSED="1-05:00:04 01:23:45 53:21 :17"
| makemv ELAPSED
| mvexpand ELAPSED
| rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)"
| eval runtime=86400*Coalesce(ElapsedDays,0) + 3600*Coalesce(ElapsedHours,0) + 60*Coalesce(ElapsedMinutes,0) + 1*Coalesce(ElapsedSeconds,0)

View solution in original post

DalJeanis · ‎09-01-2017

You Could do something like this...

|makeresults 
| eval ELAPSED="1-05:00:04 01:23:45 53:21 :17"
| makemv ELAPSED
| mvexpand ELAPSED
| rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)"
| eval runtime=86400*Coalesce(ElapsedDays,0) + 3600*Coalesce(ElapsedHours,0) + 60*Coalesce(ElapsedMinutes,0) + 1*Coalesce(ElapsedSeconds,0)

woodcock · ‎09-03-2017

Exactly how I would have done it, but inside of a macro.

DalJeanis · ‎09-03-2017

@woodcock - what, and make it repeatable and modular? Where's the fun in that? I'd much rather code it
from scratch every single time... zzzzz... huh, what was I saying?

Would you do it with two parameters, the input field and output field, while allowing them to be the same if desired?

Of course you would. And the intermediate rex-extract fields would probably be some set of characters that were meaningful but highly unlikely to exist in natural code. I've seen you use l33t for that purpose before, or just for fun.

tmarlette · ‎09-05-2017

I tried this, and it does work. The only catch is that my search is exceptionally slow due to the |mv commands I suspect. more tinkering....

DalJeanis · ‎09-05-2017

@tmarlette - sorry I didn't mark it for you - you only need lines 5 and 6. 1 thru 4 were to create test data.

tmarlette · ‎09-06-2017

yeah, I caught that. It woks fine, it's just pretty slow on my search head is all. Thanks for the help!

DalJeanis · ‎09-06-2017

@tmarlette - Hmmm. I don't see anything in that that should take very long.

Okay, there's a possibility that because of the question marks the rex is doing a little extra work backing up. Let's anchor the right side of the field and see if that cuts the time.

 | rex field=ELAPSED "^((?<ElapsedDays>\d*)-)?((?<ElapsedHours>\d+):)?(?<ElapsedMinutes>\d+)?:(?<ElapsedSeconds>\d+)$"

duration to seconds

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes