Solved: Subtraction of the time duration

splunkpoornima · ‎10-16-2012

I used the below query and i got the following result

source="ADFER"|transaction Taskaction startswith="START" endswith="Succeeded"|stats avg(duration) by Taskaction

i got the result as,

Taskaction avg(duration)

a 1.45

b 23.67

so i want to subtract my avg(duration) with 16.857934 for each task.i want the result lik below

Taskaction duration

a -15.40

b 6.812066

Ayn · ‎10-16-2012

source="ADFER"|transaction Taskaction startswith="START" endswith="Succeeded"|stats avg(duration) as duration by Taskaction | eval duration=duration-16.857934

View solution in original post

MHibbin · ‎10-16-2012

Hi,

You will need to pipe to an eval command, where you can do some mathematics using the Splunk langauge and assign the values to a field for example..

source="ADFER"|transaction Taskaction startswith="START" endswith="Succeeded"|stats avg(duration) as avgduration by Taskaction | eval duration=avgduration-16.857934

Or you could use eval to assign the '16.857934' to a field and do the following:

source="ADFER"|transaction Taskaction startswith="START" endswith="Succeeded"|stats avg(duration) as avgduration by Taskaction | eval minVal="16.857934" |eval duration=avgduration-minVal

You should read the docs on this:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/eval
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

Ayn · ‎10-16-2012

source="ADFER"|transaction Taskaction startswith="START" endswith="Succeeded"|stats avg(duration) as duration by Taskaction | eval duration=duration-16.857934

splunkpoornima · ‎10-16-2012

thank u very much
it is Working fine ..

Subtraction of the time duration

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud