How to convert a timespan string with fractional seconds (eg. HH:MM:SS.ff..) in Splunk for charting?
Question
Splunk as the dur2sec convert function which "convert[s] a duration format [D+]HH:MM:SS to seconds"..
However, the data in the JSON-formatted logs (via Serilog) comes from a .NET timespan source value which has been serialized as "00:00:00.2787721" - note the fractional second component.
What is the least painful way to import this string into Splunk as a fractional second value (ie. 0.2787721 ) such that it can be used for graphing? The timeformat= option of convert does not seem to apply to timespan conversion functions.
Using rex + math (or other seriously convoluted sequence of evals) is not a simple or easily reproducible way to extract the data; I doubt I am the first person to try and consume from such a "commonly" formatted value.
1 answers
solution1
0 2019-10-23 11:28:44
您可以使用strptime()获取以秒为单位的Unix时间的持续时间,然后从中减去“ 0秒Unix时间”,即“ Unix时间0”,以获取实际秒数。
|eval number=strptime(Duration,"%H:%M:%S.%2N")-strptime("00:00:00.00","%H:%M:%S.%2N")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.