Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get average of time field?

asifhj
Path Finder
‎04-21-2014 02:22 AM

I have following values in a field(CPU)

000 00:00:00.00

000 00:00:00.03

000 00:00:43.18

000 00:00:20.69

000 00:00:00.04

000 00:00:00.01

000 00:00:00.03

I tried the following query to extract

...| eval t = strftime(strptime(CPU,"+%Q %H:%M:%S.%N"),"%H:%M:%S.%N") | stats avg(t) by host

But unable to get the results

And suggestions?

Regards

Asif J.

Tags (2)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2014 04:16 AM

You can do this to convert your duration strings into seconds:

... | eval tmp = replace(replace(duration, "\.\d+$", ""), "\s+", "+") | convert dur2sec(tmp) as converted | fields - tmp | eval converted = converted + tonumber("0.".replace(duration, "^.*\.", ""))

There's a bit of format changing required before convert dur2sec() will accept the string, but it'll work. Once you have the durations in seconds you can do any calculation you want, including stats avg(converted).

Reply

marina_rovira
Contributor
‎01-13-2016 01:55 AM

Hi there!

I have the same question, but I didn't get your answer. What should be the value of tmp?
I don't understand either the tonumber function.

These are some of the durations I have, the field is called "Time spent" and I would like to calculate the average for a specific search like for especific customer that I've selected before (search customer=X).
00:01:00
00:02:00
00:05:00
00:03:00
00:04:00
00:06:00
00:00:00
00:07:00
(this is how I search for a specific value for this field Tspent="00:01:00", I supouse it is duration)

Thanks!

0 Karma
Reply

sundareshr
Legend
‎01-13-2016 05:04 AM

You should get the expected result with this 

... | eval dur = replace(Tspent, "\.\d+$", "") | convert dur2sec(dur) | stats avg(dur) as avgTspent
Reply

marina_rovira
Contributor
‎01-13-2016 05:31 AM

Yes I have! Thank you, the last question about this, trying if you can help me with this last step 😄

The output is 00:15:04.502712, is there some way that I can remove the ms and show it as 00:15:04 ?

Thank you a lot!

0 Karma
Reply

asifhj
Path Finder
‎04-21-2014 03:23 AM

Durations?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2014 02:35 AM

Are those values timestamps or durations?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...