Documentation > Splunk > Search Reference > convert

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

convert

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

convert

Synopsis

Converts field values into numerical values.

Syntax

convert [timeformat=string] (<convert-function> [as field])+

Arguments

timeformat
Syntax: timeformat=<string>
Description: The timeformat option is used by ctime and mktime conversions
<convert-function>
Syntax: auto() | ctime() | dur2sec() | memk() | mktime() | mstime() | none() | num() | rmcomma() | rmunit()
Description: Functions for convert.

Convert functions

auto()
Syntax: auto("(" (<wc-field>)? ")")?
Description: Automatically convert the field(s) to a number using the best conversion. Note that if not all values of a particular field can be converted using a known conversion type, the field is left untouched and no conversion at all in done for that field.
ctime()
Syntax: ctime"("<wc-field>?")"
Description: Convert an epoch time to an ascii human readable time. Use timeformat option to specify exact format to convert to.
dur2sec()
Syntax: dur2sec"("<wc-field>?")"
Description: Convert a duration format "D+HH:MM:SS" to seconds.
memk()
Syntax: memk"(" <wc-field>? ")"
Description: Convert a {KB, MB, GB} denominated size quantity into a KB.
mktime()
Syntax: mktime"("<wc-field>?")"
Description: Convert an human readable time string to an epoch time. Use timeformat option to specify exact format to convert from.
mstime()
Syntax: mstime"(" <wc-field>? ")"
Description: Convert a MM:SS.SSS format to seconds.
none()
Syntax: none"(" <wc-field>? ")"
Description: In the presence of other wildcards, indicates that the matching fields should not be converted.
num()
Syntax: num"("<wc-field>? ")"
Description: Like auto(), except non-convertible values are removed.
rmcomma()
Syntax: rmcomma"("<wc-field>? ")"
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'
rmunit()
Syntax: rmunit"(" <wc-field>? ")"
Description: Looks for numbers at the beginning of the value and removes trailing text.

Description

Converts the values of fields into numerical values. When renaming a field using as, the original field is left intact. The timeformat option is used by ctime and mktime conversions. Default = %m/%d/%y %h:%m:%s.

Examples

Example 1: Convert values of the "duration" field into number value by removing string values in the field value. For example, if "duration="212 sec"", the resulting value will be "duration="212"".

... | convert rmunit(duration)

Example 2: Change the sendmail syslog duration format (D+HH:MM:SS) to seconds. For example, if "delay="00:10:15"", the resulting value will be "delay="615"".

... | convert dur2sec(delay)

Example 3: Change all memory values in the "virt" field to Kilobytes.

... | convert memk(virt)

Example 4: Convert every field value to a number value except for values in the field "foo" (use the "none" argument to specify fields to ignore).

... | convert auto(*) none(foo)

Example 5: Example usage

... | convert dur2sec(xdelay) dur2sec(delay)

Example 6: Example usage

... | convert auto(*)


See also

eval

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.3/SearchReference/Convert"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!