[UPDATED to allow for shorter time periods]

This should be faster:

| makeresults
 | eval secs=678393
 | eval strSecs=tostring(secs,"duration")
 | rex field=strSecs mode=sed "s/((((\d*)\+)?(\d*):)?(\d*):)?(\d*)/\4 days \5 hrs \6 min \7 sec/"

The original would only work well if there were all 4 values. I updated the rex to do shorter time periods (even down to less than 1 minute). It isn't a complete result with a result having 0 days, only days, so it isn't perfect, but it is better than the original. With an additional rex, it can fix that:

| makeresults
| eval secs=67839
| eval strSecs=tostring(secs,"duration")
| rex field=strSecs mode=sed "s/((((\d*)\+)?(\d*):)?(\d*):)?(\d*)/\4 days \5 hrs \6 min \7 sec/"
| rex field=strSecs mode=sed "s/^ days/0 days/"

Hmm, fun. I'm lost on where to insert this into my existing search as makeresults seems to want to be first in line before I even tell it what index to look at.

@gabarrygowin, community members use makeresults to mimic dummy data. You need to plug in your actual query. It should look like the following.

index=windows host!=*.xx.com EventCode=6013 
| rex field=Message "The system uptime is\s+(?P<secs>\d+)\s+seconds"
| eval secs=tostring(secs,"duration")
| eval secs=if(match(secs,"\+"),replace(secs,"(\d+)\+(\d+)\:(\d+)\:(\d+)","\1 Day \2 Hr \3 Min \4 Secs"),replace(secs,"(\d+)\:(\d+)\:(\d+)","\1 Hr \2 Min \3 Secs"))
| table secs

Error in 'eval' command: The expression is malformed. Expected ).
The search job has failed due to an error. You may be able view the job in the Job Inspector.

looks like it just needs one more parenthesis. I can't try this out completely because I don't have your data so the base search doesn't work, but it should fix the eval problem:

 index=windows host!=*.xx.com EventCode=6013 
 | rex field=Message "The system uptime is\s+(?P<secs>\d+)\s+seconds"
 | eval secs=tostring(secs,"duration")
 | eval secs=if(match(secs,"\+"),replace(secs,"(\d+)\+(\d+)\:(\d+)\:(\d+)","\1 Day \2 Hr \3 Min \4 Secs"),replace(secs,"(\d+)\:(\d+)\:(\d+)","\1 Hr \2 Min \3 Secs"))
 | table secs

@gabarrygowin, sorry I had missed out closing parenthesis in both Run Anywhere example and the updated query above. I have updated the same please try again.

@cpetterborg, thanks again for helping out 🙂

This is somewhat incomplete, but you would put this in your search like this:

index=windows sourcetype=WinEventLog* host!="*.xx.com" EventCode=6013 
| rex field=Message "The system uptime is\s+(?P<secs>\d+)\s+seconds" 
| eval strSecs=tostring(secs,"duration")
| rex field=strSecs mode=sed "s/(\d*)\+(\d*):(\d*):(\d*)/\1 day \2 hrs \3 min \4 sec/"

Thanks much for the replay. I like your rex much more. The search completes now, but with now data going to Statistics.

I greatly appreciate the effort you're putting in and apologize for the difficulties.

That recent code got me:
Windows AVG Uptime distinct_count(host)
11+18h 13min 13s.500000 1
6+04h 03min 59s.000000 1
6+06h 45min 55s.000000

I'm looking more for a simple counter that display the average uptime in days,hour,min for all our Windows hosts. May be I didn't paint the requirement correctly?

Hmm, with your help, I think I'm really close now.

Search:
index=windows host!=*.xx.com EventCode=6013 | rex field=Message "The system uptime is\s+(?P\d+)\s+seconds" | eval secs=secs/86400 | stats avg(secs) as "Windows AVG Uptime"

Results;
Windows AVG Uptime
23.887137

Conclusion: "IF" the functions are working correctly, our average time up is 23.8 days.

To clarify, the search is executing now, but "No results found". I know there are events there that match what we're trying to pull.

try this
index=wineventlog host!=xxx.com EventCode=6013 
| rex field=Message "The system uptime is\s+(?P<secs>\d+)\s+seconds" 
| stats avg(secs) AS secs by host 
| convert rmunit(secs) as numSecs 
| eval stringSecs=tostring(numSecs,"duration") 
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s") 
| fields - secs numSecs 
| rename stringSecs as "Windows AVG Uptime"