Datetime milliseconds to minutes

d2freak82 · July 25, 2022, 4:26pm

So in theory this seems like a simple ordeal milliseconds output / 60000 = minutes
I have 2 datetime fields start_time and end_time, I have to subtract 1 from the other to = session_time, which I have working great - the output is in milliseconds. Now I want to convert milliseconds to minutes - no matter what I do, I either see an error or output is 0.

let session_time = (end_time - start_time);
set_field("session_time", session_time / 60000)

if I do this, I get incompatible types DataTime <=> (60000) Long in line xx
so I change

set_field("session_time", to_long(session_time) / 60000)

and my error goes away but then my output is null

tmacgbay · July 25, 2022, 7:10pm

This post might get you a little closer to what you want to do:

d2freak82 · July 25, 2022, 8:19pm

thanks for the suggestion, I had tried that exact thing this morning with no success. The problem is the value for to_long(session_time) = 0 so it doesn’t process the rule.
if I leave the > 0 part off, I see hours minutes seconds for duration, but no numbers
I even tried

rule "VPN sessiontime to min"
when
    has_field("session_time")

then

    let session_duration = to_long($message.session_time);
    set_field("session_duration", session_duration);

end

I get the field session_duration but it = 0

d2freak82 · July 25, 2022, 8:39pm

I just tried doing the above except I used to_string instead of to_long… now I get an output of PT142S - not sure what that means but it’s something!

d2freak82 · July 25, 2022, 9:44pm

so for some reason it converted it to a duration… I used a grok pattern to extract the number of seconds from the to_string value. Then did some math to turn it into hours minutes seconds

gsmith · July 25, 2022, 11:41pm

Hello @d2freak82

If I’m correct this was from Discord?

Could you show how this was done?

d2freak82 · July 26, 2022, 12:54pm

sure - first since I was seeing PT140s (or some variation of that) displaying for session_time I realized that it was a duration it was showing. To do that, I just did a basic output of what to_string(session_time) was.
Then I created a grok pattern to extract that, which could be done in the pipeline simply with %{NUMBER:name} - because that’s all I put in the grok pattern I created.

rule "VPN sessiontime to min"
when
    has_field("session_time")

then

    let session_duration = to_string($message.session_time);
    
    let vpn_duration = grok("%{UNIFIMS:UNWWANTED}", session_duration, true);
    let d_time = to_long(vpn_duration.time);
    
    let d_seconds = d_time % 60;
    let d_minutes = (d_time % 3600 - d_seconds) / 60;
    let d_hours   = d_time / 3600;
        
    let build_message_0 = concat(to_string(d_hours), " hours, ");
    let build_message_1 = concat(build_message_0, to_string(d_minutes));
    let build_message_2 = concat(build_message_1, " minutes, ");
    let build_message_3 = concat(build_message_2, to_string(d_seconds));
    let build_message_4 = concat(build_message_3, " seconds"); 
   
    set_field("session_duration", build_message_4);
    
end

used the modulus % for the minutes/seconds to calculate only what was below 60

Output looks like

session_duration
0 hours, 7 minutes, 38 seconds

gsmith · July 26, 2022, 10:36pm

Awesome, thanks for posting it @d2freak82

system · August 9, 2022, 10:37pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Convert Milliseconds to Minutes Pipeline Rules	0	415	July 26, 2022
Rule for converting time duration string to summable value Graylog Central (peer support) pipeline-rules	6	204	July 15, 2023
Issues with date conversion in pipeline Graylog Central (peer support)	10	1195	March 6, 2019
Rounding in Pipelines Graylog Central (peer support) pipeline-rules	6	1018	August 11, 2020
Compare 2 dates Graylog Central (peer support)	2	909	September 23, 2019

Datetime milliseconds to minutes

Related Topics