Solved: How to edit my search to figure out average time t...

rickyrivera1 · ‎05-24-2017

Alright...new to Splunk and actually been figuring it out as I go along. The only problem I am having is I am trying to capture 2 time fields. I'm trying to capture Time_To_Own_Minutes and Time_To_Close_Minutes both are avg. The search I have pasted below shows an additional field of overall time that I don't need. Thoughts on how to capture time in minutes?

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
| rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
| eval CT=coalesce(CLOSED_TIME, closed_time)
| eval Annotes=substr(ANNOTATION,1,3) 
| eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
| eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
| eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
| eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
| eval TimeToClose=ctime-rtime 
| eval TimeToClose=abs(TimeToClose) 
| eval TimeToOwn=aotime-rtime 
| eval TimeToOwn=abs(TimeToOwn) 
| eval RT_Time=strftime(rtime, "%m/%d/%Y %I:%M:%S %p") 
| eval CT_Time=strftime(ctime, "%m/%d/%Y %I:%M:%S %p") 
| eval AT_Time=strftime(atime, "%m/%d/%Y %I:%M:%S %p") 
| eval AOT_Time=strftime(aotime, "%m/%d/%Y %I:%M:%S %p") 
| eval Time_To_Close_Minutes=round(TimeToClose/60,2) 
| eval Time_To_Own_Minutes=round(TimeToOwn/60,2) 
| stats count as "Overall Time" avg(Time_To_Own_Minutes) as "Overall: Avg Time to Close in Minutes" avg(Time_To_Close_Minutes)

cmerriman · ‎05-24-2017

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"

View solution in original post

rickyrivera1 · ‎05-25-2017

This is exactly what I was looking for! Sadly for me the change was way too easy, but thank you for your help on this one!!!

cmerriman · ‎05-25-2017

That's alright, you're new and sometimes it's the easiest thing that's the hardest to see!

cmerriman · ‎05-24-2017

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"

How to edit my search to figure out average time tracking?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life