Dashboards & Visualizations

Display daily runtime averages by month

fisuser1
Contributor

Currently displaying daily run time averages, however I want to show averages by month and week as well. Any suggestions to edits to make this work?

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)  | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null)  | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")  | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")  | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration(seconds)=(EndTime - StartTime)/1000  | stats  avg(Duration(seconds)) as AvgDayendTime by ClientName | eval  AvgDayendTime = tostring('AvgDayendTime', "duration")
0 Karma

woodcock
Esteemed Legend

First of all, try this search to replace your existing one:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| stats  avg(Duration_seconds) as AvgDayendTime BY ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

Then this for monthly:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| bucket _time span=1mon
| stats  avg(Duration_seconds) as AvgDayendTime BY _time ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

For weekly, just change 1mon to 1w.

0 Karma

fisuser1
Contributor

I get "No results found." when attempting to run your search you included.

My search produces expected results.

ClientName AvgDayendTime
Joes 02:31:25.571429

0 Karma

woodcock
Esteemed Legend

I had a typo. I updated my answer so try again.

0 Karma

fisuser1
Contributor

same result. does not pull back any events.

No results found.

0 Karma

woodcock
Esteemed Legend

Try changing to this:

streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
0 Karma

sundareshr
Legend

That's what I meant 🙂

0 Karma

fisuser1
Contributor

still no luck with the modification.

No results found.

0 Karma

woodcock
Esteemed Legend

I updated my answer again to make sure that the adjustment is integrated correctly. Does it still not work?

0 Karma

fisuser1
Contributor

Now seeing "Invalid number" when running.

0 Karma

woodcock
Esteemed Legend

are you sure that you copied it correctly? That doesn't make sense to me.

0 Karma

fisuser1
Contributor

copy and pasted just fine

0 Karma

woodcock
Esteemed Legend

By "just fine" you mean "invalid number", right?

0 Karma

sundareshr
Legend

Assuming UPROC is a field, you may need this change streamstats count(eval(isnotnull(UPROC="ZENDMAIL"))) AS SessionID

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...