convert - Splunk Documentation (2024)

Table of Contents
Description Syntax Required arguments Optional arguments Convert functions Usage Basic examples 1. Convert all field values to numeric values 2. Convert field values except for values in specified fields 3. Change the duration values to seconds for the specified fields 4. Change the sendmail syslog duration format to seconds 5. Convert field values that contain numeric and string values 6. Change memory values to kilobytes Extended Examples 1. Convert a UNIX time to a more readable time format 2. Convert a time in MM:SS.SSS to a number in seconds 3. Convert a string time in HH:MM:SS into a number See also FAQs References

Description

The convert command converts field values in your search results into numerical values. Unless you use the AS clause, the original values are replaced by the new values.

Alternatively, you can use evaluation functions such as strftime(), strptime(), or tonumber() to convert field values.

Syntax

convert [timeformat=string] (<convert-function> [AS <field>] )...

See Also
Conversion functions - Splunk Documentation

Required arguments

<convert-function>
Syntax: auto() | ctime() | dur2sec() | memk() | mktime() | mstime() | none() | num() | rmcomma() | rmunit()
Description: Functions to use for the conversion.

Optional arguments

timeformat
Syntax: timeformat=<string>
Description: Specify the output format for the converted time field. The timeformat option is used by ctime and mktime functions. For a list and descriptions of format options, see Common time format variables in the Search Reference.
Default: %m/%d/%Y%H:%M:%S. Note that this default does not conform to the locale settings.
<field>
Syntax: <string>
Description: Creates a new field with the name you specify to place the converted values into. The original field and values remain intact.

Convert functions

auto()
Syntax: auto(<wc-field>)
Description: Automatically convert the fields to a number using the best conversion. Note that if not all values of a particular field can be converted using a known conversion type, the field is left untouched and no conversion at all is done for that field. You can use a wildcard ( * ) character to specify all fields.
ctime()
Syntax: ctime(<wc-field>)
Description: Convert a UNIX time to an ASCII human readable time. Use the timeformat option to specify the exact format to convert to. You can use a wildcard ( * ) character to specify all fields.
dur2sec()
Syntax: dur2sec(<wc-field>)
Description: Convert a duration format "[D+]HH:MM:SS" to seconds. You can use a wildcard ( * ) character to specify all fields.
memk()
Syntax: memk(<wc-field>)
Description: Accepts a positive number (integer or float) followed by an optional "k", "m", or "g". The letter k indicates kilobytes, m indicates megabytes, and g indicates gigabytes. If no letter is specified, kilobytes is assumed. The output field is a number expressing quantity of kilobytes. Negative values cause data incoherency. You can use a wildcard ( * ) character to specify all fields.
mktime()
Syntax: mktime(<wc-field>)
Description: Convert a human readable time string to an epoch time. Use timeformat option to specify exact format to convert from. You can use a wildcard ( * ) character to specify all fields.
mstime()
Syntax: mstime(<wc-field>)
Description: Convert a [MM:]SS.SSS format to seconds. You can use a wildcard ( * ) character to specify all fields.
none()
Syntax: none(<wc-field>)
Description: In the presence of other wildcards, indicates that the matching fields should not be converted. You can use a wildcard ( * ) character to specify all fields.
num()
Syntax: num(<wc-field>)
Description: Like auto(), except non-convertible values are removed. You can use a wildcard ( * ) character to specify all fields.
rmcomma()
Syntax: rmcomma(<wc-field>)
Description: Removes all commas from value, for example rmcomma(1,000,000.00) returns 1000000.00. You can use a wildcard ( * ) character to specify all fields.
rmunit()
Syntax: rmunit(<wc-field>)
Description: Looks for numbers at the beginning of the value and removes trailing text. You can use a wildcard ( * ) character to specify all fields.

Usage

The convert command is a distributable streaming command. See Command types.

Basic examples

1. Convert all field values to numeric values

Use the auto convert function to convert all field values to numeric values.

... | convert auto(*)

2. Convert field values except for values in specified fields

Convert every field value to a number value except for values in the field src_ip. Use the none convert function to specify fields to ignore.

... | convert auto(*) none(src_ip)

3. Change the duration values to seconds for the specified fields

Change the duration values to seconds for the specified fields

... | convert dur2sec(xdelay) dur2sec(delay)

4. Change the sendmail syslog duration format to seconds

Change the sendmail syslog duration format (D+HH:MM:SS) to seconds. For example, if delay="00:10:15", the resulting value is delay="615".This example uses the dur2sec convert function.

... | convert dur2sec(delay)

5. Convert field values that contain numeric and string values

Convert the values in the duration field, which contain numeric and string values, to numeric values by removing the string portion of the values. For example, if duration="212 sec", the resulting value is duration="212". This example uses the rmunit convert function.

... | convert rmunit(duration)

6. Change memory values to kilobytes

Change all memory values in the virt field to KBs.This example uses the memk convert function.

... | convert memk(virt)

Extended Examples

1. Convert a UNIX time to a more readable time format

Convert a UNIX time to a more readable time formatted to show hours, minutes, and seconds.

source="all_month.csv" | convert timeformat="%H:%M:%S" ctime(_time) AS c_time | table _time, c_time

  • The ctime() function converts the _time value in the CSV file events to the format specified by the timeformat argument.
  • The timeformat="%H:%M:%S" argument tells the search to format the _time value as HH:MM:SS.
  • The converted time ctime field is renamed c_time.
  • The table command is used to show the original _time value and the ctime field.

The results appear on the Statistics tab and look something like this:

_timec_time
2018-03-27 17:20:14.83917:20:14
2018-03-27 17:21:05.72417:21:05
2018-03-27 17:27:03.79017:27:03
2018-03-27 17:28:41.86917:28:41
2018-03-27 17:34:40.90017:34:40
2018-03-27 17:38:47.12017:38:47
2018-03-27 17:40:10.34517:40:10
2018-03-27 17:41:55.54817:41:55

The ctime() function changes the timestamp to a non-numerical value. This is useful for display in a report or for readability in your events list.

2. Convert a time in MM:SS.SSS to a number in seconds

Convert a time in MM:SS.SSS (minutes, seconds, and subseconds) to a number in seconds.

sourcetype=syslog | convert mstime(_time) AS ms_time | table _time, ms_time

  • The mstime() function converts the _time field values from a minutes and seconds to just seconds.

The converted time field is renamed ms_time.

  • The table command is used to show the original _time value and the converted time.
_timems_time
2018-03-27 17:20:14.8391522196414.839
2018-03-27 17:21:05.7241522196465.724
2018-03-27 17:27:03.7901522196823.790
2018-03-27 17:28:41.8691522196921.869
2018-03-27 17:34:40.9001522197280.900
2018-03-27 17:38:47.1201522197527.120
2018-03-27 17:40:10.3451522197610.345
2018-03-27 17:41:55.5481522197715.548

The mstime() function changes the timestamp to a numerical value. This is useful if you want to use it for more calculations.

3. Convert a string time in HH:MM:SS into a number

Convert a string field time_elapsed that contains times in the format HH:MM:SS into a number. Sum the time_elapsed by the user_id field. This example uses the eval command to convert the converted results from seconds into minutes.

...| convert num(time_elapsed) | stats sum(eval(time_elapsed/60)) AS Minutes BY user_id

See also

Commands
eval
fieldformat
Functions
tonumber
strptime

Last modified on 21 November, 2022

contingencycorrelate

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

convert - Splunk Documentation (2024)

FAQs

What is the convert function in Splunk? ›

The convert command in Splunk uses a wide array of conversion functions to manipulate fields in Splunk. These conversions involve operations like changing strings to numeric values, changing time format, and improving the usability or readability of numeric fields with specific units.

Learn More
How do I convert Splunk dashboard to HTML? ›

Splunk users running any version earlier than Splunk Enterprise 8.1. 0 or Splunk Cloud Platform 8.0. 2004 can convert a Simple XML dashboard to HTML for additional customization. Converting a dashboard to HTML is no longer supported for Enterprise version 8.1.

Keep Reading
How to extract data from Splunk? ›

There are three common ways to extract data from Splunk Infrastructure Monitoring: by using SignalFlow, Splunk's streaming analytics API; by using the /timeserieswindow endpoint in the Splunk API; or from the Splunk UI.

Find Out More
What are Splunk transforming commands? ›

transforming command

A type of search command that orders the results into a data table. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes. Searches that use transforming commands are called transforming searches.

View Details
What is the use of convert function? ›

Converts a number from one measurement system to another. For example, CONVERT can translate a table of distances in miles to a table of distances in kilometers.

Get More Info Here
What does convert () do? ›

Definition and Usage

The CONVERT() function converts a value (of any type) into a specified datatype.

Tell Me More
What language are Splunk dashboards written in? ›

Splunk's extensible markup language, Simple XML, is the underlying source code for the dashboards created using the Dashboard Editor. Although you can work with the most common features using the Dashboard Editor, some features are only available by working in the Simple XML code.

See More
How do I export data from Splunk dashboard? ›

To export a dashboard, follow these steps:
  1. Select Dashboard from the Splunk Observability Cloud home page.
  2. Navigate to the dashboard you want to export.
  3. Click the Dashboard actions (⋯) menu.
  4. Select Export.
  5. Click Download.
Sep 14, 2023

Learn More Now
How do I export a Splunk dashboard as a PDF? ›

Generate a dashboard PDF

From the dashboard, select Export > Export PDF. The generated PDF appears in a browser window.

Read The Full Story
How do I send data out of Splunk? ›

Exporting data starts with running a search job to generate results. You can then export this search result data to a file. Run a search job using a POST to /services/search/jobs/ . If you are using a custom time range, pass it in with the POST request.

Know More

How do I ingest data in Splunk? ›

Data ingestion in Splunk happens through the Add Data feature which is part of the search and reporting app. After logging in, the Splunk interface home screen shows the Add Data icon as shown below.

Explore More
What are the three main components of Splunk? ›

Splunk Components. The primary components in the Splunk architecture are the forwarder, the indexer, and the search head.

Learn More
What are the 3 modes in Splunk search? ›

search mode

A setting that optimizes your search performance by controlling the amount or type of data that the search returns. Search mode has three settings: Fast, Verbose, and Smart. Fast mode speeds up searches by limiting the types of data returned by the search.

Read The Full Story
What are the three default roles in Splunk? ›

The predefined roles are: admin: This role has the most capabilities. power: This role can edit all shared objects and alerts, tag events, and other similar tasks. user: This role can create and edit its own saved searches, run searches, edit preferences, create and edit event types, and other similar tasks.

Tell Me More
What does convert command mean? ›

The CONVERT command converts a QBE query to an SQL query. If you specify CONVERT ? , the prompt panel shown in the following figure displays. You can complete the command on the prompt panel.

View Details
What does conversion function do? ›

Conversion functions convert expressions of one data type to another data type when data type conversions are not automatically performed by SQL Server. This function uses a date, time, or numeric value and returns a formatted string representing that value according to a specified style string.

Learn More Now
What is the difference between convert and Try_convert? ›

SQL Server TRY_CONVERT() function converts an expression of one type to the specified type. It returns NULL if cannot convert it. The TRY_CONVERT() and the CONVERT() functions are similar except when the conversion is unsuccessful TRY_CONVERT() returns a NULL and CONVERT() throws an error.

See More
What is the value function used for convert? ›

What is the VALUE Function? The VALUE Function[1] is categorized under Excel Text functions. It will convert a text string that represents a number into a number. Thus, the function will convert text that appears in a recognized format (a number, date, or time format) into a numeric value.

Read On

References

Top Articles
Grandma Netta's Red Cabbage Recipe on Food52
Tomato Basil Chicken Recipe | LaaLoosh
LOST JEEPS • View forum
Varsity Competition Results 2022
Die Reiseauskunft auf bahn.de - mit aktuellen Alternativen gut ans Ziel
Kpschedule Lawson
Ohio State Football Wiki
Msc Open House Fall 2023
Gma Deals And Steals December 5 2022
Osrs Tokkul Calculator
Busted Newspaper Birmingham Al
Cherry Downloadcenter
Humidity Yesterday At My Location
Stellaris Mid Game
Craigslist Sfbay
Myjohnshopkins Mychart
Ironman Kona Tracker
Exquisitely Stuffed Terraria
Pwc Transparency Report
The Creator Showtimes Near Baxter Avenue Theatres
Kristine Leahy Spouse
New from Simply So Good - Cherry Apricot Slab Pie
Pain Out Maxx Kratom
WhirlyBall: next-level bumper cars
10425 Reisterstown Rd
Funny Marco Birth Chart
Kayak Parts Amazon
Locals Canna House Deals
Ridgid Pro Tool Storage System
Hispanic supermarket chain Sedano's now delivering groceries in Orlando
New R-Link system and now issues creating R-Link store account.
Basis Independent Brooklyn
Honeywell V8043E1012 Wiring Diagram
Best Turntables of 2023 - Futurism
Brian Lizer Life Below Zero Next Generation
Sam's Club Near Me Gas Price
Point Click Care Cna Login Cna
5128 Se Bybee Blvd
Optum Director Salary
Open The Excel Workbook Revenue.xls From The Default Directory
Used Cars for Sale in Phoenix, AZ (with Photos)
8 Common Things That are 7 Centimeters Long | Measuringly
7Ohp7
El Confidencial Vanitatis
Tacoma Craigslist Free
Swoop Amazon S3
50 Shades Of Grey Movie 123Movies
Basketball Stars Unblocked Games Premium
Evalue Mizzou
Ds Cuts Saugus
Munich Bavaria Germany 15 Day Weather Forecast
Never Would Have Made It Movie 123Movies
Latest Posts
Copycat Chick Fil A Nuggets Recipe
Easy PF Chang's Lettuce Wrap Recipe - Fearless Fresh
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 5793

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.