Solved: How to edit my search to figure out average time t...

rickyrivera1 · ‎05-24-2017

Alright...new to Splunk and actually been figuring it out as I go along. The only problem I am having is I am trying to capture 2 time fields. I'm trying to capture Time_To_Own_Minutes and Time_To_Close_Minutes both are avg. The search I have pasted below shows an additional field of overall time that I don't need. Thoughts on how to capture time in minutes?

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
| rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
| eval CT=coalesce(CLOSED_TIME, closed_time)
| eval Annotes=substr(ANNOTATION,1,3) 
| eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
| eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
| eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
| eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
| eval TimeToClose=ctime-rtime 
| eval TimeToClose=abs(TimeToClose) 
| eval TimeToOwn=aotime-rtime 
| eval TimeToOwn=abs(TimeToOwn) 
| eval RT_Time=strftime(rtime, "%m/%d/%Y %I:%M:%S %p") 
| eval CT_Time=strftime(ctime, "%m/%d/%Y %I:%M:%S %p") 
| eval AT_Time=strftime(atime, "%m/%d/%Y %I:%M:%S %p") 
| eval AOT_Time=strftime(aotime, "%m/%d/%Y %I:%M:%S %p") 
| eval Time_To_Close_Minutes=round(TimeToClose/60,2) 
| eval Time_To_Own_Minutes=round(TimeToOwn/60,2) 
| stats count as "Overall Time" avg(Time_To_Own_Minutes) as "Overall: Avg Time to Close in Minutes" avg(Time_To_Close_Minutes)

cmerriman · ‎05-24-2017

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"

View solution in original post

rickyrivera1 · ‎05-25-2017

This is exactly what I was looking for! Sadly for me the change was way too easy, but thank you for your help on this one!!!

cmerriman · ‎05-25-2017

That's alright, you're new and sometimes it's the easiest thing that's the hardest to see!

cmerriman · ‎05-24-2017

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"

How to edit my search to figure out average time tracking?

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success