Splunk Search

Search average for time-taken field

salles
Loves-to-Learn Lots

Hi, I have a log file that has a field called "TimeTaken".

The values of this field are in the format:

00:01:27.763
00:02:10.15
00:01:36.175
00:00:48.368
00:00:22.692

etc..
This signifies how long this operation took in HH:MM;SS;ms format (per each log line).

I am trying to figure out a way to do calculations on this field, for example, get an Average "timetaken" or how many events took longer than 00:12:00:00 (12 minutes) etc.

Is there any way this can be done using a clever Splunk search?

Any help would be much appreciated.

0 Karma
1 Solution

rslama
Path Finder

I think it will be easier if you converted to seconds, then do your average from there...
*adding /60

| eval Hr=(mvindex(split(TimeTaken,":"),0))
| eval Hr=Hr*60*60
| eval Mn=(mvindex(split(TimeTaken,":"),1))
| eval Mn=Mn*60
| eval Sc=mvindex(split(TimeTaken,":"),2)
| eval newTime=(Hr+Mn+Sc)/60

View solution in original post

0 Karma

rslama
Path Finder

I think it will be easier if you converted to seconds, then do your average from there...
*adding /60

| eval Hr=(mvindex(split(TimeTaken,":"),0))
| eval Hr=Hr*60*60
| eval Mn=(mvindex(split(TimeTaken,":"),1))
| eval Mn=Mn*60
| eval Sc=mvindex(split(TimeTaken,":"),2)
| eval newTime=(Hr+Mn+Sc)/60

0 Karma

salles
Loves-to-Learn Lots

Hi rslama,
This works perfectly! Thank you so much for the help. You guys are awesome!!!

0 Karma

rslama
Path Finder

glad I was able to help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...