Datetime 如何在splunk中将自定义时间转换为分钟
我有一个字段,它以Datetime 如何在splunk中将自定义时间转换为分钟,datetime,splunk,splunk-query,Datetime,Splunk,Splunk Query,我有一个字段,它以1h3m45s或3m45s格式发送时间 我想把它转换成几分钟,画出一个图表 我试过了 | eval ProcessingTime=replace(replace(replace(LoadTime,"h",":"), "m",":"),"s","") | eval ProcessingTime=strptime(ProcessingTime,"%H:%M:%S") 但它给出了一个空白字段 编辑: 这给出了我期望的时间(以分钟为单位),但当我有时间=34m56s时,它不会返回任何
1h3m45s3m45s| eval ProcessingTime=replace(replace(replace(LoadTime,"h",":"), "m",":"),"s","")
| eval ProcessingTime=strptime(ProcessingTime,"%H:%M:%S")
您能帮忙吗?非常接近,您可以使用
convert dur2sec()如果无效,请删除转换行并发送
ProcessingTImeHH:MM:SSconvert dur2sec()如果无效,请删除转换行并发送
ProcessingTIme| makeresults
| eval time="34m56s"
| rex field=time "(?:(?<hr>\d+)h)?(?<min>\d+)m(?<sec>\d+)s"
| eval hr=coalesce(hr,0)
| eval ProcessingTime=hr.":".min.":".sec
| convert dur2sec(ProcessingTime)
| eval TimeinMin=(ProcessingTime)/60
| table time, ProcessingTime,TimeinMin
|生成结果
|评估时间=“34m56s”
|rex字段=时间“(?:(?
\d+)h”?(?\d+)m(?\d+)s”
|eval hr=聚结(hr,0)
|eval ProcessingTime=hr.:.min.:.sec
|转换dur2sec(处理时间)
|评估时间最小=(处理时间)/60
|表时间、处理时间、时间最小值
rex| makeresults
| eval time="34m56s"
| rex field=time "(?:(?<hr>\d+)h)?(?<min>\d+)m(?<sec>\d+)s"
| eval hr=coalesce(hr,0)
| eval ProcessingTime=hr.":".min.":".sec
| convert dur2sec(ProcessingTime)
| eval TimeinMin=(ProcessingTime)/60
| table time, ProcessingTime,TimeinMin
|生成结果
|评估时间=“34m56s”
|rex字段=时间“(?:(?
\d+)h”?(?\d+)m(?\d+)s”
|eval hr=聚结(hr,0)
|eval ProcessingTime=hr.:.min.:.sec
|转换dur2sec(处理时间)
|评估时间最小=(处理时间)/60
|表时间、处理时间、时间最小值
sourcetype=syslog | convert mstime(_time) AS ms_time | table _time, ms_time
函数将mstime()
字段值从分钟转换为分钟 几秒钟到几秒钟\u time
ms\u time\u时间mstime()sourcetype=syslog | convert mstime(_time) AS ms_time | table _time, ms_time
函数将mstime()
字段值从分钟转换为分钟 几秒钟到几秒钟\u time
ms\u time\u时间mstime()2h55m34s55m34s2h55m34s