https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490676#M137006 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="2020-03-11 08:23:55,141 - [UserId=xyz | UserName=abc | INFO INFO APIName=\"REPORT SEARCH\",Stage=\"exit\",StartTime=\"2020-03-11 08:23:55.101\",EndTime=\"2020-03-11 08:23:55.141\",**TotalTime**=\"40 Milliseconds\",XBAPILatency=\"0 Milliseconds\",XBLatency=\"40 Milliseconds\",XBMessage=\"REPORT SEARCH API response was 40 Milliseconds.\",RequestStatus=\"Success\":::2020-03-11 08:23:55,151 - [UserId=xyz | UserName=abc | INFO INFO APIName=\"REPORT SEARCH\",Stage=\"exit\",StartTime=\"2020-03-11 08:23:55.101\",EndTime=\"2020-03-11 08:23:55.151\",**TotalTime**=\"50 Milliseconds\",XBAPILatency=\"0 Milliseconds\",XBLatency=\"50 Milliseconds\",XBMessage=\"REPORT SEARCH API response was 50 Milliseconds.\",RequestStatus=\"Success\":::2020-03-11 08:23:55,161 - [UserId=xyz | UserName=abc | INFO INFO APIName=\"REPORT SEARCH\",Stage=\"exit\",StartTime=\"2020-03-11 08:23:55.101\",EndTime=\"2020-03-11 08:23:55.161\",**TotalTime**=\"60 Milliseconds\",XBAPILatency=\"0 Milliseconds\",XBLatency=\"60 Milliseconds\",XBMessage=\"REPORT SEARCH API response was 60 Milliseconds.\",RequestStatus=\"Success\"" | makemv delim=":::" raw | mvexpand raw | rename raw AS _raw | kv | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex field=TotalTime "^(?&lt;TT_magnitude&gt;\d+)\s*(?&lt;TT_units&gt;.*)$" | eval TT = TT_magnitude * case( TT_units = "Milliseconds", 1/1000, TT_units = "Centiseconds", 1/100, TT_units = "Seconds", 1, true(), 0) | stats avg(TT) AS avg_TotalTime </CODE></PRE> Wed, 11 Mar 2020 16:36:39 GMT woodcock 2020-03-11T16:36:39Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490674#M137004 <P>I have multiple log events like below based on my search criteria-</P> <PRE><CODE>2020-03-11 08:23:55,141 - [UserId=xyz | UserName=abc | INFO INFO APIName="REPORT SEARCH",Stage="exit",StartTime="2020-03-11 08:23:55.101",EndTime="2020-03-11 08:23:55.141",**TotalTime**="40 Milliseconds",XBAPILatency="0 Milliseconds",XBLatency="40 Milliseconds",XBMessage="REPORT SEARCH API response was 40 Milliseconds.",RequestStatus="Success" 2020-03-11 08:23:55,151 - [UserId=xyz | UserName=abc | INFO INFO APIName="REPORT SEARCH",Stage="exit",StartTime="2020-03-11 08:23:55.101",EndTime="2020-03-11 08:23:55.151",**TotalTime**="50 Milliseconds",XBAPILatency="0 Milliseconds",XBLatency="50 Milliseconds",XBMessage="REPORT SEARCH API response was 50 Milliseconds.",RequestStatus="Success" 2020-03-11 08:23:55,161 - [UserId=xyz | UserName=abc | INFO INFO APIName="REPORT SEARCH",Stage="exit",StartTime="2020-03-11 08:23:55.101",EndTime="2020-03-11 08:23:55.161",**TotalTime**="60 Milliseconds",XBAPILatency="0 Milliseconds",XBLatency="60 Milliseconds",XBMessage="REPORT SEARCH API response was 60 Milliseconds.",RequestStatus="Success" </CODE></PRE> <P>I want to build a Splunk query which will give me average response time based on <STRONG>TotalTime</STRONG> value.</P> <P>I tried to do so by | stats avg(TotalTime) but no results are showing as the value contains a string (Milliseconds) as well.<BR /> Can someone please help me with this as I am new to Splunk tool?</P> Wed, 11 Mar 2020 13:39:35 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490674#M137004 dhirajnangar 2020-03-11T13:39:35Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490675#M137005 <P>As a first cut, you can use rex to extract the value of TotalTime from the events.</P> <P>Something like this should work:</P> <PRE><CODE>yoursearch | rex field=_raw \*\*TotalTime\*\*="(?&lt;TotalTime&gt;\d+)\sMilliseconds" | stats avg(TotalTime) </CODE></PRE> <P>I recommend looking at the percentile calculations rather than average. Although avg is widely used, average can hide outliers.<BR /> In your situation, I would look at the differences between average and the 50th percentile (aka <EM>median</EM><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE> yoursearch | rex field=_raw \*\*TotalTime\*\*="(?&lt;TotalTime&gt;\d+)\sMilliseconds" | stats avg(TotalTime) AS Average, perc50(TotalTime) as Median </CODE></PRE> <P>If it looks like using Total Time is worthwhile, then move the field extraction of TotalTime to props.conf with the help of your local Splunk admin.</P> <P>Hope that helps!<BR /> rmmiller</P> Wed, 11 Mar 2020 15:26:57 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490675#M137005 rmmiller 2020-03-11T15:26:57Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490676#M137006 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="2020-03-11 08:23:55,141 - [UserId=xyz | UserName=abc | INFO INFO APIName=\"REPORT SEARCH\",Stage=\"exit\",StartTime=\"2020-03-11 08:23:55.101\",EndTime=\"2020-03-11 08:23:55.141\",**TotalTime**=\"40 Milliseconds\",XBAPILatency=\"0 Milliseconds\",XBLatency=\"40 Milliseconds\",XBMessage=\"REPORT SEARCH API response was 40 Milliseconds.\",RequestStatus=\"Success\":::2020-03-11 08:23:55,151 - [UserId=xyz | UserName=abc | INFO INFO APIName=\"REPORT SEARCH\",Stage=\"exit\",StartTime=\"2020-03-11 08:23:55.101\",EndTime=\"2020-03-11 08:23:55.151\",**TotalTime**=\"50 Milliseconds\",XBAPILatency=\"0 Milliseconds\",XBLatency=\"50 Milliseconds\",XBMessage=\"REPORT SEARCH API response was 50 Milliseconds.\",RequestStatus=\"Success\":::2020-03-11 08:23:55,161 - [UserId=xyz | UserName=abc | INFO INFO APIName=\"REPORT SEARCH\",Stage=\"exit\",StartTime=\"2020-03-11 08:23:55.101\",EndTime=\"2020-03-11 08:23:55.161\",**TotalTime**=\"60 Milliseconds\",XBAPILatency=\"0 Milliseconds\",XBLatency=\"60 Milliseconds\",XBMessage=\"REPORT SEARCH API response was 60 Milliseconds.\",RequestStatus=\"Success\"" | makemv delim=":::" raw | mvexpand raw | rename raw AS _raw | kv | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex field=TotalTime "^(?&lt;TT_magnitude&gt;\d+)\s*(?&lt;TT_units&gt;.*)$" | eval TT = TT_magnitude * case( TT_units = "Milliseconds", 1/1000, TT_units = "Centiseconds", 1/100, TT_units = "Seconds", 1, true(), 0) | stats avg(TT) AS avg_TotalTime </CODE></PRE> Wed, 11 Mar 2020 16:36:39 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490676#M137006 woodcock 2020-03-11T16:36:39Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490677#M137007 <P>Solid! My first instinct was to ask about the units and whether they always showed up with the same units. You bulletproofed it! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 11 Mar 2020 17:37:22 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-for-average-response-time-based-on-TotalTime/m-p/490677#M137007 rmmiller 2020-03-11T17:37:22Z