Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search average for time-taken field

salles
Loves-to-Learn Lots
‎06-20-2019 02:24 PM

Hi, I have a log file that has a field called "TimeTaken".

The values of this field are in the format:

00:01:27.763
00:02:10.15
00:01:36.175
00:00:48.368
00:00:22.692

etc..
This signifies how long this operation took in HH:MM;SS;ms format (per each log line).

I am trying to figure out a way to do calculations on this field, for example, get an Average "timetaken" or how many events took longer than 00:12:00:00 (12 minutes) etc.

Is there any way this can be done using a clever Splunk search?

Any help would be much appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rslama
Path Finder
‎06-20-2019 04:26 PM

I think it will be easier if you converted to seconds, then do your average from there...
*adding /60

| eval Hr=(mvindex(split(TimeTaken,":"),0))
| eval Hr=Hr*60*60
| eval Mn=(mvindex(split(TimeTaken,":"),1))
| eval Mn=Mn*60
| eval Sc=mvindex(split(TimeTaken,":"),2)
| eval newTime=(Hr+Mn+Sc)/60

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rslama
Path Finder
‎06-20-2019 04:26 PM

I think it will be easier if you converted to seconds, then do your average from there...
*adding /60

| eval Hr=(mvindex(split(TimeTaken,":"),0))
| eval Hr=Hr*60*60
| eval Mn=(mvindex(split(TimeTaken,":"),1))
| eval Mn=Mn*60
| eval Sc=mvindex(split(TimeTaken,":"),2)
| eval newTime=(Hr+Mn+Sc)/60

0 Karma
Reply
Solved! Jump to solution

salles
Loves-to-Learn Lots
‎06-21-2019 10:18 AM

Hi rslama,
This works perfectly! Thank you so much for the help. You guys are awesome!!!

0 Karma
Reply
Solved! Jump to solution

rslama
Path Finder
‎06-21-2019 11:22 AM

glad I was able to help!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...