https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414805#M119466 <P>Give this a try</P> <PRE><CODE>..base search... | streamstats current=false window=1 last(_time) as time_of_last_change by namespace | eval diffoflastchange=_time-time_of_last_change | timechart span=1d avg(diffoflastchange) </CODE></PRE> Thu, 29 Nov 2018 18:50:59 GMT somesoni2 2018-11-29T18:50:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414803#M119464 <P>I want to calculate the average time between updates for my data — I.E: on average, how often is this data changing? <BR /> I'm able to get the changes in data and the delta between those changes by using the streamstats command.</P> <PRE><CODE>...| table _time namespace diffoflastchange </CODE></PRE> <P>I end up with the columns above where the important column is diffoflastchange, which is really...</P> <PRE><CODE>| streamstats current=false last(count) as prev_count last(_time) as time_of_last_change by namespace | eval diffoflastchange=now()-time_of_last_change </CODE></PRE> <P>...so now, I got all my timestamps per above, but I can't figure how to average them together to get the, let's say, daily average over a 2 week period.</P> Thu, 29 Nov 2018 18:19:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414803#M119464 tb5821 2018-11-29T18:19:55Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414804#M119465 <P>looking at this again I think even my eval diffoflastchange is wrong b/c I want that diff to be from the previous time_of_last_change ... hmmm</P> Tue, 29 Sep 2020 22:13:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414804#M119465 tb5821 2020-09-29T22:13:18Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414805#M119466 <P>Give this a try</P> <PRE><CODE>..base search... | streamstats current=false window=1 last(_time) as time_of_last_change by namespace | eval diffoflastchange=_time-time_of_last_change | timechart span=1d avg(diffoflastchange) </CODE></PRE> Thu, 29 Nov 2018 18:50:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414805#M119466 somesoni2 2018-11-29T18:50:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414806#M119467 <P>no I don't think this produces accurate results - I'd like to see avg in HH:MM:SS by day</P> Thu, 29 Nov 2018 20:38:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414806#M119467 tb5821 2018-11-29T20:38:55Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414807#M119468 <P>It currently gives the result in seconds. You can format in duration format using <CODE>tostring</CODE>function of eval. See this for example<BR /> <A href="https://answers.splunk.com/answers/367836/how-to-convert-the-output-of-tostring-or-convert-a.html">https://answers.splunk.com/answers/367836/how-to-convert-the-output-of-tostring-or-convert-a.html</A></P> Thu, 29 Nov 2018 20:51:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414807#M119468 somesoni2 2018-11-29T20:51:40Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414808#M119469 <P>or use eval diffoflastchange =strftime(diffoflastchange,"%HH:%MM:%SS")</P> Fri, 30 Nov 2018 19:27:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414808#M119469 macadminrohit 2018-11-30T19:27:21Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414809#M119470 <P>Like this:</P> <PRE><CODE>Your Search Here | streamstats current=false window=2 range(_time) AS diffoflastchange | timechart span=1d avg(diffoflastchange) </CODE></PRE> Fri, 30 Nov 2018 22:45:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414809#M119470 woodcock 2018-11-30T22:45:35Z https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414810#M119471 <P>Let me give a more concrete example of my data since none of these suggestions seem to be working.</P> <PRE><CODE>_time Processed_time namespace time_of_last_change prev_count actualchange 1 2018-11-28 11:15:01 1543421701 sample 1543422601 130701 20 2 2018-11-28 08:15:01 1543410901 sample 1543411801 130681 4 </CODE></PRE> <P>I got my query to the point to where I get back data like the above - now what I really want is to take these two values which between them is 3hrs and if these were the only two values by namespace for the month, week whatever then my average update time would be ~3hrs - but I can't seem to get that to compute</P> Sat, 01 Dec 2018 20:57:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-average-duration-of-timestamps/m-p/414810#M119471 tb5821 2018-12-01T20:57:18Z