https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91135#M18930 <P>I am trying to get the average Session duration by USER_ID, but a single USER_ID can have multiple SESSION_ID. The SESSION_ID is the unique identifier. I currently have a table that looks like this:</P> <P>USER_ID------SESSION_ID ----------------------- start --------------------------- stop<BR /><BR /> UserA ------{firstSessionID} ---------- 20130710 08:15:53 -------- 20130710 08:16:15<BR /><BR /> UserB-----{secondSessionID} ----- 20130710 08:16:42 -------- 20130710 08:16:55<BR /><BR /> UserA------{ThirdSessionID} ------- 20130709 13:34:23 -------- 20130709 13:35:34</P> <P>I am trying to eventually have a list of all the USER_ID and the average Session duration by USER_ID. My search for the above result looks like this: </P> <P>index=loghistory SESSION_ID=* USER_ID=* DEALER_ID=* USER_ID!="N/A" |stats earliest(EVENT_TIMESTAMP) as start, latest(EVENT_TIMESTAMP) as stop by USER_ID,SESSION_ID</P> <P>Thank you in advance.</P> Mon, 28 Sep 2020 14:18:30 GMT JoeSco27 2020-09-28T14:18:30Z https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91135#M18930 <P>I am trying to get the average Session duration by USER_ID, but a single USER_ID can have multiple SESSION_ID. The SESSION_ID is the unique identifier. I currently have a table that looks like this:</P> <P>USER_ID------SESSION_ID ----------------------- start --------------------------- stop<BR /><BR /> UserA ------{firstSessionID} ---------- 20130710 08:15:53 -------- 20130710 08:16:15<BR /><BR /> UserB-----{secondSessionID} ----- 20130710 08:16:42 -------- 20130710 08:16:55<BR /><BR /> UserA------{ThirdSessionID} ------- 20130709 13:34:23 -------- 20130709 13:35:34</P> <P>I am trying to eventually have a list of all the USER_ID and the average Session duration by USER_ID. My search for the above result looks like this: </P> <P>index=loghistory SESSION_ID=* USER_ID=* DEALER_ID=* USER_ID!="N/A" |stats earliest(EVENT_TIMESTAMP) as start, latest(EVENT_TIMESTAMP) as stop by USER_ID,SESSION_ID</P> <P>Thank you in advance.</P> Mon, 28 Sep 2020 14:18:30 GMT https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91135#M18930 JoeSco27 2020-09-28T14:18:30Z https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91136#M18931 <P>use the Transaction command.</P> Wed, 10 Jul 2013 14:41:21 GMT https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91136#M18931 bmacias84 2013-07-10T14:41:21Z https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91137#M18932 <P>Try something like this.<BR /> Converting times to epoch times , then doing the math on the epoch value :</P> <PRE><CODE>...| eval startSession=strptime(start,"%Y%m%d %H:%M:%S") | eval endSession=strptime(stop,"%Y%m%d %H:%M:%S") | eval sessionDuration=endSession-startSession | stats avg(sessionDuration) by USER_ID </CODE></PRE> Wed, 10 Jul 2013 14:56:21 GMT https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91137#M18932 Damien_Dallimor 2013-07-10T14:56:21Z https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91138#M18933 <P>This works, thank you. The time that returns is in seconds because it was converted to epoch, correct?</P> Wed, 10 Jul 2013 16:33:12 GMT https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91138#M18933 JoeSco27 2013-07-10T16:33:12Z https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91139#M18934 <P>Yes , seconds. You can use "strftime" to convert it back into another format.</P> <P>Don't forget to accept the answer if it worked.</P> Wed, 10 Jul 2013 16:36:44 GMT https://community.splunk.com/t5/Getting-Data-In/Average-Time-over-two-Timestamps/m-p/91139#M18934 Damien_Dallimor 2013-07-10T16:36:44Z