Hi chvnc,
You can take this run everywhere example:
| gentimes start=-1
| eval foo="00 00:01:00.209"
| eval myFoo=strptime(foo, "00 %H:%M:%S.%3N")
| stats count avg(myFoo) AS avg_foo by foo
| eval new_foo=strftime(avg_foo, "00 %H:%M:%S.%3N")
strptime
is used to parse a time stamp represented by a string and return an epoch time. strftime
is used to create a human readable time stamp based on an epoch time.
More details are in the docs http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Date_and_Time_...
Hope this helps ...
cheers, MuS
Hi chvnc,
You can take this run everywhere example:
| gentimes start=-1
| eval foo="00 00:01:00.209"
| eval myFoo=strptime(foo, "00 %H:%M:%S.%3N")
| stats count avg(myFoo) AS avg_foo by foo
| eval new_foo=strftime(avg_foo, "00 %H:%M:%S.%3N")
strptime
is used to parse a time stamp represented by a string and return an epoch time. strftime
is used to create a human readable time stamp based on an epoch time.
More details are in the docs http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Date_and_Time_...
Hope this helps ...
cheers, MuS
index=u2 sourcetype=ema earliest=-5m | fields ExecuteTime, Target | eval Execute_Time=strptime(ExecuteTime,"00 %H:%M:%S.%3N") | timechart avg(Execute_Time) as avg_duration by Target | eval avg_duration=strftime(avg_duration,"%H:%M:%S.%3N")
trying to write the query like this, but the last eval statement for strftime seems to not be working, the avg_duration is showing in epoch time only. Can you help in this?
Yeah, I thought about that as well but here is another solution: The epoch time after strptime will be starting at the current day midnight, so just subtract this from the value and you will get your seconds 😉
Try this run everywhere command:
| gentimes start=-1
| eval foo="00 00:01:00.209"
| eval myFoo=strptime(foo, "00 %H:%M:%S.%3N") - relative_time(now(), "-0d@d")
| stats count avg(myFoo) AS avg_foo by foo, myFoo
cheers, MuS
Thanks Man that worked
You're welcome 🙂
What did you try so far? How does your strptime command look like? What do the first two zeros signify ?