Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the time difference between events to calculate the average duration?

dbcase
Motivator
‎05-25-2016 03:18 PM

Hi,

I have a data set that looks like this:

alt text

I need to calculate the avg duration of the power loss (event where EVENT_SUB_TYPE=ACpwrLoss is the beginning and event where EVENT_SUB_TYPE=ACpwrLossRes is the end). The time that the transaction begins/ends is in the CPE_CONVERTED field and this needs to be by PREMISE.

I've tried several things, but none have worked out yet. This one is the most promising but still no luck

| transaction PREMISE EVENT_SUB_TYPE startswith="ACPwrLoss" endswith="ACPwrLossRes" | timechart avg(duration) by PREMISE

Any thoughts?

Preview file
1 KB
0 Karma
Reply

sjohnson_splunk
Splunk Employee
Splunk Employee
‎05-26-2016 05:53 AM

Why not use stats instead of timechart? I'm not sure what default span is on timechart but it might be messing up your results.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-25-2016 05:02 PM

This works for the very last outage of each premise, but doesnt show all outages if there were multiples:

 index=top10 | eval powerOff=if(EVENT_SUB_TYPE="ACPwrLoss",_time,null()) | eval powerRestored=if(EVENT_SUB_TYPE="ACPwrLossRes",_time,null()) | stats last(powerRestored) AS lastPowerRestored last(powerOff) AS lastPowerOff by PREMISE | eval outageDuration=lastPowerRestored-lastPowerOff | table PREMISE lastPowerOff lastPowerRestored outageDuration

This works for all outages of each premise, but can get wonky if you have multiple ACPwrLoss'es for one premise before having a ACPwrLossRes... can also get weird if you have the loss but no restoration.

 index=top10 | sort PREMISE | eval powerLost=if(EVENT_SUB_TYPE="ACPwrLoss",_time,null()) | eval powerRestored=if(EVENT_SUB_TYPE="ACPwrLossRes",_time,null()) | filldown powerRestored | table PREMISE powerLost powerRestored | where isnotnull(powerLost) | eval duration=powerRestored-powerLost | stats avg(duration) as duration by PREMISE

duration is in seconds in above.

Here's the same as above but evals for minutes, max, mins, avg, and counts:

 index=top10 | sort PREMISE | eval powerLost=if(EVENT_SUB_TYPE="ACPwrLoss",_time,null()) | eval powerRestored=if(EVENT_SUB_TYPE="ACPwrLossRes",_time,null()) | filldown powerRestored| table PREMISE powerLost powerRestored | where isnotnull(powerLost) | eval duration=powerRestored-powerLost | stats count(duration) as total_outage_count max(eval(duration/60)) as maximum_duration_minutes min(eval(duration/60)) as minumum_duration_minute avg(eval(duration/60)) as average_duration_minutes by PREMISE

Sorry for so many answers, but I hope one of them fits the bill.

Cheers,
JKat54

0 Karma
Reply

sk314
Builder
‎05-25-2016 04:54 PM

Did you try | transaction PREMISE startswith="ACPwrLoss" endswith="ACPwrLossRes" | timechart avg(duration) by PREMISE

0 Karma
Reply

michael_bates_1
Path Finder
‎05-25-2016 04:41 PM

Hi,

Try removing the field "EVENT_SUB_TYPE" from the field list.

The transaction command uses the field list to group events together and in your example, the contents of this field are actually different so you are getting 2 transactions with only a single event in them.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...