I am trying to create a dashboard for the Job status and I want to convert the job duration to HH:MM:SS. I use the below Splunk search which gives result, but when the duration is more than 24 hours it outputs 1+10:29:14.000000 and with this I cannot sort the long running jobs. I want the duration always in HH:MM:SS. Any suggestions
My searh|eval starttime = strptime(start,"%m/%d/%Y %H:%M:%S")|eval endtime = strptime(end,"%m/%d/%Y %H:%M:%S") |eval Diff=tostring((endtime-starttime ),"duration")|search Status!=RU|dedup job|table job start end Diff.
So instead of 1+10:29:14.000000 I want to out it as 34:29:14
↧