- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Converting [h]:mm:ss into hour, minutes and second...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkers!
How should i modify the regula expression
| rex field=duration "(?<hour>\d{2}):(?<min>\d{2}):(?<sec>\d{2})"
to be able to convert in the same time into hours, minutes and seconds time value like
1;20:15 or 11:20:15?
Final goal is to calculate duration in seconds, with this simple codeline
| eval duration_h = hour+min/60+sec/3600
Currently code it is working only for the second format (values having hours with only 1 char are not converted).
Tks!
Carmine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When using the curly braces you're telling RegEx to look for exactly two digits. If you want one or two digits try this:
| rex field=duration "(?<hour>\d{1,2}):(?<min>\d{2}):(?<sec>\d{2})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey, you do not need to extract hour minute and sec and write eval for conversion, as there is already a ready-made conversion command called convert. If you do not have field which is in HH:MM:SS format then you can write | eval time=strftime(strptime(time,"%Y/%m/%d %H:%M:%S"),"%H:%M:%S") OR you can use regex which you already have and then write convert command.
Try this run anywhere search
| makeresults
| eval time="14:50:40"
| convert dur2sec(time) as duration
In your environment, you should write
<your_base_search>
| convert dur2sec(time) as duration
For more information, have a look at this doc:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Convert
let me know if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to convert duration into hour, min and sec try below:
| rex field=duration "(?<hour>\d{1,2}):(?<min>\d{1,2}):(?<sec>\d{2})"
and to convert into seconds :
| eval duration_s = (hour*3600)+(min*60)+sec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When using the curly braces you're telling RegEx to look for exactly two digits. If you want one or two digits try this:
| rex field=duration "(?<hour>\d{1,2}):(?<min>\d{2}):(?<sec>\d{2})"
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
