USAGE OF CONVERT FUNCTION: dur2sec
“Dur2sec” is a function used with the convert command, which generally converts any duration (which needs to be in the following format for sure “HH:MM:SS”) into seconds.
Syntax:
|convert dur2sec(<field_name>)
Where, field_name= Name of the field which has the duration value.
Example:
We have the following data, showing loadTime of jobNames.
index="test_index" sourcetype="loadtimecsv"
| table jobName,loadTime
| eval ProcessingTime=replace(replace(replace(loadTime,"h",":"), "m",":"),"s","")
| convert dur2sec(ProcessingTime) as ProcessingTime_Sec
Result:
Explanation:
As you can see that we are taking the data from index “test_index” and “loadtimecsv” source type. Then using the table command we tabled our data jobName and loadTime. Here we want to convert our loadTime into seconds. Our loadTime is in the following format “HHhMMmSSs” but to apply we need to convert it into “HH:MM:SS”. That’s why we have used replace function with eval command to replace “h”,”m” and “s” with “:”, according to the format, that you can see in the “ProcessingTime” field. Then we have used the “dur2sec” function with the “convert” command to convert that string into seconds, which is available in the “ProcessingTime_Sec” field.
Happy Splunking!!
