Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert duration in seconds to [h]:mm:ss?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
auaave
Communicator
12-19-2017
09:22 PM
Hi,
I have a table with duration in seconds, how can I convert it to [h]:mm:ss? I want it to count the number of hours even if it is more than 1 day. Thanks!
Here is my query.
| dedup IDEVENT
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats sum(DURATION) as eventduration by DESCRIPTION _time
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
12-19-2017
09:30 PM
Hi
Can you please try | eval time=strftime(_time, "%H:%M:%S") or you can try | eval time=tostring(_time,"duration")
So your query will be
| dedup IDEVENT
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats sum(DURATION) as eventduration by DESCRIPTION _time
| eval time=strftime(_time, "%H:%M:%S")
and with second approach
| dedup IDEVENT
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats sum(DURATION) as eventduration by DESCRIPTION _time
| eval time=tostring(_time,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
12-19-2017
09:30 PM
Hi
Can you please try | eval time=strftime(_time, "%H:%M:%S") or you can try | eval time=tostring(_time,"duration")
So your query will be
| dedup IDEVENT
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats sum(DURATION) as eventduration by DESCRIPTION _time
| eval time=strftime(_time, "%H:%M:%S")
and with second approach
| dedup IDEVENT
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats sum(DURATION) as eventduration by DESCRIPTION _time
| eval time=tostring(_time,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
auaave
Communicator
12-19-2017
10:00 PM
@harsmarvania57 , thanks! The second approach works! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
12-19-2017
10:16 PM
@auaave, Glad to hear that it worked, please accept my answer and upvote it. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
12-19-2017
09:28 PM
Hi Auaave,
You can use strftime function using eval. For eg.
eval eventduration=strftime(eventduration,"%H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
auaave
Communicator
12-19-2017
09:59 PM
@p_gurav, thanks for your reply. 🙂
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
