convert

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use convert along with other search commands.

Search to end all errors

index=_internal sourcetype="splunkd" log_level="ERROR" 
| stats sparkline count dc(host) as hosts last(_raw) as last_raw_msg values(sourcetype) as sourcetype last(_time) as last_msg_time first(_time) as first_msg_time values(index) as index by punct 
| eval delta=round((first_msg_time-last_msg_time),2) 
| eval msg_per_sec=round((count/delta),2) 
| convert ctime(last_msg_time) ctime(first_msg_time) 
| table last_raw_msg count hosts sparkline msg_per_sec sourcetype index first_msg_time last_msg_time delta  | sort -count

purpose:

identifies frequently occurring errors in your splunk instance. LSS knocking out the top 10 on this list will make your splunk instance very happy

requirements:

comments:

calculate duration without week end

| makeresults count=5 
| eval aging=random()%25 
| eval end=_time 
| eval start=end-(aging*86400) 
| eval range=mvrange(start, end, 86400) 
| convert ctime(range) timeformat="%+" 
| eval BusinessDays=mvcount(mvfilter(NOT match(range,"(Sun|Sat).*")))

purpose:

calculate a duration excluding week end days

requirements:

comments:

if you have a start and end time : calculate the duration in business days, excluding week end. using mvrange.