Hi, I wonder whether someone could help me please.
I'm using the query below to extract information about searches that have been performed.
|rest /services/search/jobs
|rename custom.search as customSearch
|search NOT author="splunk-system-user"
|eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)
|search SearchString!=""
|convert ctime(searchEarliestTime) as STime timeformat=%d/%m/%y
|convert ctime(searchLatestTime) as LTime timeformat=%d/%m/%y
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|table author SearchString duration stringSecs
I'm having a little difficulty with this line: `eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")`
Could someone tell me please how I could change this to display the milliseconds as "ms" in the same vain in which the hours, minutes and seconds are shown.
I've tried the obvious `eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)\.(\d+)","\1h \2min \3s \4ms")` but this doesn't work.
I just wondered whether someone could point out where I've gone wrong please.
Many thanks and kind regards
Chris
↧