Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Coverting EPOCH time to Hours, Minutes, Seconds format

jackreeves
Explorer
‎03-15-2018 04:52 AM

I have an issue where I have a number of fields in my data in following format of "%H:%M:%S" and they are stored as text. Therefore I cannot do any stats calculations such as avg on these fields.

I am trying to convert these fields in EPOCH time using the strptime, this then allows me to calculate an average & convert back to "%H:%M:%S" format.

However, some of the calculations aren't converting back correctly.

Full search query:
sourcetype=diags_yesterday Priority=A "Next Ind"!=C Team=DIAG
| eval actual_stack_time1=strptime(actual_stack_time,"%H:%M:%S")
| eval handling_time1=strptime(handling_time,"%H:%M:%S")
| stats count as "Call Volume" avg(actual_stack_time1) as "actual_stack_time1" avg(handling_time1) as "handling_time1" by Day DOW
| eval "Avg. Time on Stack"=strftime(actual_stack_time1, "%H:%M:%S")
| eval "Avg. Handling Time"=strftime(handling_time1,"%H:%M:%S")
| fields Day DOW "Call Volume" "Avg. Handling Time" "Avg. Time on Stack"

EXAMPLE before adding the strftime syntax:
Day DOW Call Volume actual_stack_time1 handling_time1
06/03 Tue 24 1521072478.75 1521072078.1666667

This should then convert to 01:01:18 and 01:07:58 but currently is returning as 00:01:18 and 00:07:58.

Can anyone help?

Thanks,
Jack

0 Karma
Reply

p_gurav
Champion
‎03-15-2018 06:20 AM

Hi,

Can you try:

     sourcetype=diags_yesterday Priority=A "Next Ind"!=C Team=DIAG Day=06/03/2018 
     | convert num(actual_stack_time) as "actual_stack_time1" 
     | convert num(handling_time) as "handling_time1" 
     | stats count as "Call Volume" avg(actual_stack_time1) as "actual_stack_time1" avg(handling_time1) as "handling_time1" by Day
     | eval handling_time1=round(handling_time1,0) 
     | convert timeformat="%H:%M:%S" ctime(actual_stack_time1)
      | convert timeformat="%H:%M:%S" ctime(handling_time1)
0 Karma
Reply

jackreeves
Explorer
‎03-15-2018 06:34 AM

Still returning same result 😞

0 Karma
Reply

jackreeves
Explorer
‎03-15-2018 09:16 AM

It appears to be adding an extra hour to every value. If I amend the Time Zone in administrator settings this also impacts it?

Any ideas?

0 Karma
Reply

tiagofbmm
Influencer
‎03-15-2018 05:55 AM

Hey

Sorry but I checked the values and it should convert to 00:01:18 and 00:07:58, check here https://www.epochconverter.com/

0 Karma
Reply

jackreeves
Explorer
‎03-15-2018 06:10 AM

Unsure what is going wrong because when I calculate the avg in Excel it is 01:01:18 and 01:07:58.

I've amended the search to the following:

sourcetype=diags_yesterday Priority=A "Next Ind"!=C Team=DIAG Day=06/03/2018 
| convert num(actual_stack_time) as "actual_stack_time1" 
| convert num(handling_time) as "handling_time1" 
| stats count as "Call Volume" avg(actual_stack_time1) as "actual_stack_time1" avg(handling_time1) as "handling_time1" by Day
| eval handling_time1=round(handling_time1,0) 
| eval "Avg. Time on Stack"=strftime(actual_stack_time1,"%H:%M:%S") 
| eval "Avg. Handling Time"=strftime(handling_time1,"%H:%M:%S")

Now returning with the values of 02:01:18 and 02:07:58. The actual_stack_time1=4078.75secs and handling_time1=3678secs. This converted should equal 01:01:18 and 01:07:58

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...