Splunk Search

How to calculate the average time in a URL?

rosho
Communicator

Hi
I want to calculate the average time of being in a URL.
This SPL shows me the time spent in a URL, but NOT the average

index=fortigate 
| transaction url
| table duration, url

This other SPL gives me the Total average. It is NOT by url

index=fortigate 
| transaction url
| stats avg(duration) AS Avg_Session_Time
0 Karma
1 Solution

chinmoya
Communicator

| stats avg(duration) AS Avg_Session_Time by url

View solution in original post

0 Karma

chinmoya
Communicator

| stats avg(duration) AS Avg_Session_Time by url

0 Karma

niketn
Legend

@rosho unfortunately I dont think this information is enough for correlating the duration in a URL. What is the event data/field which will determine login and logoff or something similar that URL is in use?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rosho
Communicator
index=bigip host="F5-BOU-4K-A.entourage.intra"
| transaction session_id
| stats avg(duration) AS Avg_Session_time by Client_IP

This will do it. But I do not know how to put the average bytes_in for each clientip

0 Karma

rosho
Communicator

Can you give me an example?

0 Karma

nabeel652
Builder

I think you need to add session_id in your query otherwise it will not differentiate between different sessions/users.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...