https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453731#M128391 <P>This is probably quite simple and I am missing something..<BR /> i am using this search. </P> <PRE><CODE>index=sxxx sourcetype=sxxx host=xyz source="C:\\mydata" |Dedup _time|table _time, host, username, SimulatorProcess, ProcessTime </CODE></PRE> <P>I have the following search result</P> <PRE><CODE>08/19/2019 16:44:34,136Z INFO user[XXXX] tid[ 1] [(null)]: ProcessSimulationResults took: 1.1204099 seconds </CODE></PRE> <P>i did a field extraction to get the username, what the process is and the time. I would like to put these in a table and average them out. Search has 4 results but when i put into a table i get many null results. <BR /> what is the best way to display and average these out. Would also like to have a single display of the averages over day/week/month.</P> <P>thanks!</P> Mon, 19 Aug 2019 19:14:51 GMT jpsquires 2019-08-19T19:14:51Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453731#M128391 <P>This is probably quite simple and I am missing something..<BR /> i am using this search. </P> <PRE><CODE>index=sxxx sourcetype=sxxx host=xyz source="C:\\mydata" |Dedup _time|table _time, host, username, SimulatorProcess, ProcessTime </CODE></PRE> <P>I have the following search result</P> <PRE><CODE>08/19/2019 16:44:34,136Z INFO user[XXXX] tid[ 1] [(null)]: ProcessSimulationResults took: 1.1204099 seconds </CODE></PRE> <P>i did a field extraction to get the username, what the process is and the time. I would like to put these in a table and average them out. Search has 4 results but when i put into a table i get many null results. <BR /> what is the best way to display and average these out. Would also like to have a single display of the averages over day/week/month.</P> <P>thanks!</P> Mon, 19 Aug 2019 19:14:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453731#M128391 jpsquires 2019-08-19T19:14:51Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453732#M128392 <P>Stats count by _Time, host, username, SimulatorProcess, ProcessTime gives me a good chart. Now to average</P> Mon, 19 Aug 2019 19:19:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453732#M128392 jpsquires 2019-08-19T19:19:47Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453733#M128393 <P>Here's how to get the average processTime by user, host, and SimulatorProcess:</P> <PRE><CODE>index=ixxx sourcetype=sxxx host=xyz source=xxx | stats avg(ProcessTime) as avgProcessTime by host, username, SimulatorProcess | table host, username, SimulatorProcess, avgProcessTime </CODE></PRE> <P>You can also do this over time:</P> <PRE><CODE>index=ixxx sourcetype=sxxx host=xyz source=xxx | timechart avg(ProcessTime) as avgProcessTime, values(username) as users, values(host) as hosts by SimulatorProcess </CODE></PRE> Mon, 19 Aug 2019 19:43:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453733#M128393 solarboyz1 2019-08-19T19:43:37Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453734#M128394 <P>Excellent.. Thank you for the assist.</P> Tue, 20 Aug 2019 14:23:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Stats-from-Search-and-Average/m-p/453734#M128394 jpsquires 2019-08-20T14:23:02Z