https://community.splunk.com/t5/Splunk-Search/Subtraction-of-the-duration/m-p/95670#M182472 <P>Assuming you have the duration in a field called 'dur'</P> <PRE><CODE>your_search | eventstats avg(dur) AS avgdur | eval durdiff = dur - avgdur | table avg_dur durdiff </CODE></PRE> <P>You may also want to round off the numbers by inserting an <CODE>eval avgdur=round(avgdur,x)</CODE> after the <CODE>eventstats</CODE>. <CODE>x</CODE> is the number of decimal figures you want.</P> <P>Hope this helps,</P> <P>Kristian</P> Fri, 19 Oct 2012 13:55:38 GMT kristian_kolb 2012-10-19T13:55:38Z https://community.splunk.com/t5/Splunk-Search/Subtraction-of-the-duration/m-p/95669#M182471 <P>Hi </P> <P>i hav the current duration of each and ever task as</P> <P>time Taskname duration to complete the task</P> <P>11.30 task1 1</P> <P>11.32 task2 0.56</P> <P>11.40 task1 1.35</P> <P>11.21 task3 4 </P> <P>now i want to calculate the average duration of the each task ,and i have to calculate the difference between current duration and the avg duration of the corresponding task</P> Fri, 19 Oct 2012 07:01:28 GMT https://community.splunk.com/t5/Splunk-Search/Subtraction-of-the-duration/m-p/95669#M182471 splunkpoornima 2012-10-19T07:01:28Z https://community.splunk.com/t5/Splunk-Search/Subtraction-of-the-duration/m-p/95670#M182472 <P>Assuming you have the duration in a field called 'dur'</P> <PRE><CODE>your_search | eventstats avg(dur) AS avgdur | eval durdiff = dur - avgdur | table avg_dur durdiff </CODE></PRE> <P>You may also want to round off the numbers by inserting an <CODE>eval avgdur=round(avgdur,x)</CODE> after the <CODE>eventstats</CODE>. <CODE>x</CODE> is the number of decimal figures you want.</P> <P>Hope this helps,</P> <P>Kristian</P> Fri, 19 Oct 2012 13:55:38 GMT https://community.splunk.com/t5/Splunk-Search/Subtraction-of-the-duration/m-p/95670#M182472 kristian_kolb 2012-10-19T13:55:38Z