07 Dec 2023 05:21 PM - last edited on 11 Dec 2023 08:32 AM by MaciejNeumann
I am very new to DQL and I am trying to breakdown a time field in a log content
Ex:
content:
WARN, Module 1 has a thread in hung state, Thread hang duration: 00:00:00:32 -
WARN, Module 2 has a thread in hung state, Thread hang duration: 00:00:54:15 -
WARN, Module 3 has a thread in hung state, Thread hang duration: 00:00:1:36 -
I am trying to extract "Thread hang duration" into a time field and if it is over a certain threshold value alert it.
Query used:
fetch logs
| filter contains(content, "hang duration")
| parse content, "LD 'Thread hang duration:' LD:HangDuration SPACE '-'"
| fields content, HangDuration
As you can see I have parsed it with LD which works but if I use any other data type, I get null. I have tried
timestamp, duration while parsing as well as converting it from parsed string like below
| fieldsAdd myHangDuration = toTimestamp(HangDuration)
Solved! Go to Solution.
05 Jan 2024 09:17 PM
Hi @dynaNoob
do you have try this :
| fieldsAdd myHangDuration = duration(HangDuration, unit:"s")