- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Average Timespan
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a large amount of logs in the following format:
2014-07-30 14:23:51,802 - MyApp - 6 - INFO - Performance - process=Update, timeElapsed=00:00:00.0940611
I have a filter which displays only these entries:
Service=MyApp source="C:\Logs\MyApp-Performance.log" process=Update
Would someone be able to explain how I can update this go that it give me the average timeElapsed across all entries for the selected period?
Apologies, I'm new to this and have tried a few different things but can't seem to figure it out.
Thanks in advance,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
Service=MyApp source="C:\Logs\MyApp-Performance.log" process=Update| eval duration=strptime(timeElapsed,"%H:%M:%S.%6Q")-relative_time(now(),"@d") | stats avg(duration) as avgTimeElapsed
The field timeElapsed is string to need to convert it to seconds before calculating avg.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
Service=MyApp source="C:\Logs\MyApp-Performance.log" process=Update| eval duration=strptime(timeElapsed,"%H:%M:%S.%6Q")-relative_time(now(),"@d") | stats avg(duration) as avgTimeElapsed
The field timeElapsed is string to need to convert it to seconds before calculating avg.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked a charm!
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can append an | stats avg(timeElapsed) to your search query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, sorry! Did't saw that the field is not properly converted for use with stats. But @somesoni2 got it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response.
This is one of the things I tried but I just get a message saying "No results found"
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
