convert command: Overview, syntax, and usage

The SPL2 convert command converts field values in your search results into numerical values.

The SPL2 convert command converts field values in your search results into numerical values.

Syntax

The required syntax is in bold.

| convert

[ timeformat ]

convert-function

[ AS field ]

Required parameters

Convert_function

Specify one of the supported convert functions. You can use the AS clause to create a field to place the new values in. The convert functions are the following:

auto() | ctime() | dur2sec() | memk() | mktime() | mstime() | none() | num() | rmcomma() | rmunit()

auto()

Syntax: auto(wc-field)

Description: Automatically converts field values to numbers, using the best conversion data type. If some of the values in a field can't be converted using a known conversion type, none of the field values are converted. You can use a wildcard ( * ) character to specify all fields or fields with similar names.

Example: 
... | convert auto(time_elapsed) AS elapsed
Example: 
... | convert auto(*)
Example: 
... | convert auto(host*)

ctime()

Syntax: ctime(wc-field) [AS field_name]

Description: Convert an epoch time to an ascii human readable time. Use the timeformat option to specify exact format to convert to. You can use a wildcard ( * ) character to specify all fields.

Example: 
... | convert timeformat="%H:%M:%S" ctime(_time)
Example: 
... | convert timeformat="%H:%M:%S" ctime(_time) AS c_time

dur2sec()

Syntax: dur2sec(wc-field) [AS field_name]

Description: Convert a duration format "[D+]HH:MM:SS" to seconds. For example, if delay="00:10:15", the resulting value is delay="615".You can use a wildcard ( * ) character to specify all fields.

Example: 
... | convert dur2sec(xdelay), dur2sec(delay)
Example: 
... | convert dur2sec(delay*)
Example: 
... | convert dur2sec(elapsed_time) AS 'Elapsed-time'

memk()

Syntax: memk(wc-field) [AS field_name]

Description: Accepts a positive number (integer or float) followed by an optional "k", "m", or "g". The letter k indicates kilobytes, m indicates megabytes, and g indicates gigabytes. If no letter is specified, kilobytes is assumed. The output field is a number expressing quantity of kilobytes. Negative values cause data incoherency. You can use a wildcard ( * ) character to specify all fields or fields with similar names.

Example: 
... | convert memk(bytes)
Example: 
... | convert memk(bytes) AS kilo_bytes

mktime()

Syntax: mktime(wc-field) [AS field_name]

Description: Convert a human readable time string to an epoch time. Use timeformat option to specify exact format to convert from. You can use a wildcard ( * ) character to specify all fields or fields with similar names.

Example: 
... | convert timeformat="%H:%M:%S" mktime(_time)
Example: 
... | convert timeformat="%H:%M:%S" mktime(_time) AS mk_time

mstime()

Syntax: mstime(wc-field) [AS field_name]

Description: Convert a [MM:]SS.SSS format to seconds. You can use a wildcard ( * ) character to specify all fields or fields with similar names.

Example: 
... | convert mstime(elapsed_*)
Example: 
... | convert mstime(elapsed_time) AS ms_time

none()

Syntax: none(wc-field) [AS field_name]

Description: In the presence of other conversion functions, indicates that the matching fields should not be converted. You can use a wildcard ( * ) character to specify all fields.

Example: 
... | convert auto(*) none(src_ip)

num()

Syntax: num(wc-field) [AS field_name]

Description: Like auto(), except non-convertible values are removed. You can use a wildcard ( * ) character to specify all fields or fields with similar names.

Example: 
... | convert num(*)
Example: 
... | convert num(bytes)

rmcomma()

Syntax: rmcomma(wc-field) [AS field_name]

Description: Removes all commas from value. For example, rmcomma(1,000,000.00) returns 1000000.00. You can use a wildcard ( * ) character to specify all fields or fields with similar names

Example: 
... | convert rmcomma(sales)
Example: 
... | convert rmcomma(emeasales) AS 'Sales in EMEA'

rmunit()

Syntax: rmunit(wc-field) [AS field_name]

Description: Looks for numbers at the beginning of the value and removes trailing text. For example, if duration="212 sec", the resulting value is duration="212". You can use a wildcard ( * ) character to specify all fields or fields with similar names.

Example: 
... | convert rmunit(duration)
Example: 
... | convert rmunit(duration*)

Optional parameters

field

Syntax: AS string

Description: Creates a new field with the name you specify to place the converted values into. The original field and values remain intact.

timeformat

Syntax: timeformat=string

Description: Specify the output format for the converted time field. The timeformat option is used by ctime and mktime functions. For a list and descriptions of format options, see Using time variables in the SPL2 Search Manual.

Default: %m/%d/%Y %H:%M:%S. Note that this default does not conform to the locale settings.

Usage

You can also use the strftime(), strptime(), or tonumber() functions to convert field values.

See also

convert command

convert command: Examples