Solved: Re: Trying to dur2sec a HH field that is more than...

wweiland · ‎10-09-2013

I'm trying to dur2sec a hour field that is more than 24H and therefore doesn't work. Anyone have any suggestions on how I can get the seconds out of this type of HH:MM:SS?

Below is a sample output showing that below 24H works fine, everything above fails.

walltime wall
24:00:03

23:59:46 86386

kristian_kolb · ‎10-09-2013

You can do it manually;

blah blah | rex field=your_time_field "(?<HH>\d+):(?<MM>\d+):(?<SS>\d+)" | eval dur = (HH * 3600) + (MM * 60) + SS | table your_time_field dur

/K

View solution in original post

sowings · ‎10-09-2013

I think dur2sec might be aimed at something like a sendmail (x)delay field, where values over 24 hours are converted to days+HH:MM:SS. I'd go with @kristian.kolb 's solution shown below.

kristian_kolb · ‎10-09-2013

You can do it manually;

blah blah | rex field=your_time_field "(?<HH>\d+):(?<MM>\d+):(?<SS>\d+)" | eval dur = (HH * 3600) + (MM * 60) + SS | table your_time_field dur

/K

wweiland · ‎10-09-2013

Thank you for your help!

wrighke · ‎07-31-2019

Just want to add, if your timestamp included milliseconds, you can use:

| rex field=diff "(?\d+):(?\d+):(?\d+).(?\d+)"
| eval dur = (HH * 3600) + (MM * 60) + SS + (MS / 1000000)

my timestamp had 6 decimal places for ms, so I divide ms by 1,000,000

Trying to dur2sec a HH field that is more than 24H

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!