Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get average of time field?

asifhj
Path Finder
‎04-21-2014 02:22 AM

I have following values in a field(CPU)

000 00:00:00.00

000 00:00:00.03

000 00:00:43.18

000 00:00:20.69

000 00:00:00.04

000 00:00:00.01

000 00:00:00.03

I tried the following query to extract

...| eval t = strftime(strptime(CPU,"+%Q %H:%M:%S.%N"),"%H:%M:%S.%N") | stats avg(t) by host

But unable to get the results

And suggestions?

Regards

Asif J.

Tags (2)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2014 04:16 AM

You can do this to convert your duration strings into seconds:

... | eval tmp = replace(replace(duration, "\.\d+$", ""), "\s+", "+") | convert dur2sec(tmp) as converted | fields - tmp | eval converted = converted + tonumber("0.".replace(duration, "^.*\.", ""))

There's a bit of format changing required before convert dur2sec() will accept the string, but it'll work. Once you have the durations in seconds you can do any calculation you want, including stats avg(converted).

Reply

marina_rovira
Contributor
‎01-13-2016 01:55 AM

Hi there!

I have the same question, but I didn't get your answer. What should be the value of tmp?
I don't understand either the tonumber function.

These are some of the durations I have, the field is called "Time spent" and I would like to calculate the average for a specific search like for especific customer that I've selected before (search customer=X).
00:01:00
00:02:00
00:05:00
00:03:00
00:04:00
00:06:00
00:00:00
00:07:00
(this is how I search for a specific value for this field Tspent="00:01:00", I supouse it is duration)

Thanks!

0 Karma
Reply

sundareshr
Legend
‎01-13-2016 05:04 AM

You should get the expected result with this 

... | eval dur = replace(Tspent, "\.\d+$", "") | convert dur2sec(dur) | stats avg(dur) as avgTspent
Reply

marina_rovira
Contributor
‎01-13-2016 05:31 AM

Yes I have! Thank you, the last question about this, trying if you can help me with this last step 😄

The output is 00:15:04.502712, is there some way that I can remove the ms and show it as 00:15:04 ?

Thank you a lot!

0 Karma
Reply

asifhj
Path Finder
‎04-21-2014 03:23 AM

Durations?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2014 02:35 AM

Are those values timestamps or durations?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...