How to convert custom time into minutes in splunk

Question

I have a field where it sends the time in either 1h3m45s or 3m45s format

I want to convert that into minutes to plot a graph out of it.

i have tried

| eval ProcessingTime=replace(replace(replace(LoadTime,"h",":"), "m",":"),"s","")
| eval ProcessingTime=strptime(ProcessingTime,"%H:%M:%S")

But it gives blank field.

EDIT:

| eval time="1h34m56s"  | eval ProcessingTime=strftime(strptime(time, "%Hh%Mm%Ss"),"%H:%M:%S")|convert dur2sec(ProcessingTime)|  eval TimeinMin=(ProcessingTime)/60  | table time, ProcessingTime,TimeinMin

This gives the time in Min which I am expecting but whe I have time=34m56s it does not return anything

Could you please help?

Answer 1

Try this to convert time in MM:SS.SSS(minutes, seconds, and subseconds) to a number in seconds.

sourcetype=syslog | convert mstime(_time) AS ms_time | table _time, ms_time

• The mstime() function converts the _time field values from a minutes and seconds to just seconds.

The converted time field is renamed ms_time.

The table command is used to show the original _time value and the converted time.

The mstime() function changes the timestamp to a numerical value. This is useful if you want to use it for more calculations.

Answer 2

rex to the rescue! This query handles the optional hour value.

| makeresults
| eval time="34m56s" 
| rex field=time "(?:(?<hr>\d+)h)?(?<min>\d+)m(?<sec>\d+)s"
| eval hr=coalesce(hr,0)
| eval ProcessingTime=hr.":".min.":".sec
| convert dur2sec(ProcessingTime) 
| eval TimeinMin=(ProcessingTime)/60 
| table time, ProcessingTime,TimeinMin

Answer 3

Pretty close, you can use convert dur2sec()

| eval ProcessingTime=replace(replace(replace(LoadTime,"h",":"), "m",":"),"s","")
| convert dur2sec(ProcessingTime)

If it doesn't work, remove the convert line and send what the value of ProcessingTIme is. It should look like HH:MM:SS format