https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474151#M192453 <P>@woodcock It's not my data, or my question, just trying to learn from Master Yoda. I didn't follow the data in the question either, so I was using this to derive an answer...</P> <PRE><CODE>| makeresults | eval data="2-Jan-20 16:00:00,10;2-Jan-20 16:30:00,14;1-Jan-20 15:35:00,10;1-Jan-20 17:34:00,14;3-Jan-20 16:50:00,10;3-Jan-20 17:34:00,14" | makemv data delim=";" | mvexpand data | rex field=data "(\s|\n?)(?&lt;data&gt;.*)" | makemv data delim="," | eval _time=strptime(mvindex(data,0),"%d-%b-%y %H:%M:%S"), ErrorCount=mvindex(data,1) | fields _time ErrorCount | eval "Average Event Time"=strftime(avg_event_time, "%H:%M") | stats earliest(_time) as FirstAppearance by _time | bucket _time span=1d | stats avg(FirstAppearance) AS avg_FirstAppearance | eval "Average First Appearance"=strftime(avg_FirstAppearance, "%H:%M") | table "Average First Appearance" </CODE></PRE> Thu, 02 Jan 2020 21:03:09 GMT mydog8it 2020-01-02T21:03:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474145#M192447 <P>I have a search that returns the time of the first instance of a specific event (field "firstaction") by date (field "ldate"). </P> <P>search yadda yadda yadda | stats earliest(time) as firstaction by ldate </P> <P>results:</P> <P>ldate firstaction<BR /> 2019-12-30 09:00:00.000<BR /> 2019-12-31 07:00:00.000</P> <P>What I want is the average time (value) of all the results.... or in this case 08:00:00.000</P> <P>"|stats avg(firstaction) " doesn't return anything.</P> <P>Also, only days that have a value should be averaged.</P> <P>I thought about breaking out the value of the hours, minutes and seconds and converting them to a sum of seconds... then averaging the sum of seconds by day and then converting them back to a time value... but that seems overly complex and I can't be the only person that needs to know the average time of the first occurrence of something by day and alert if it falls outside a standard deviation.</P> <P>Any thoughts (besides purchasing behavioral analytics)?</P> Thu, 02 Jan 2020 14:48:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474145#M192447 drmorgan78 2020-01-02T14:48:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474146#M192448 <P>If you add this to the end of a search that returns the interesting raw events, it will give you the average time the first event of each day is seen in the data:</P> <PRE><CODE>| eval "Average Event Time"=strftime(avg_event_time, "%H:%M") | stats earliest(_time) as FirstAppearance by _time | bucket _time span=1d | stats avg(FirstAppearance) AS avg_FirstAppearance | eval "Average First Appearance"=strftime(avg_FirstAppearance, "%H:%M") | table "Average First Appearance" </CODE></PRE> Thu, 02 Jan 2020 19:23:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474146#M192448 mydog8it 2020-01-02T19:23:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474147#M192449 <P>Give this a try</P> <PRE><CODE>search yadda yadda yadda | stats earliest(time) as firstaction by ldate | convert dur2sec(firstaction) |stats avg(firstaction) as firstaction | eval firstaction=tostring(firstaction,"duration") </CODE></PRE> Thu, 02 Jan 2020 19:51:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474147#M192449 somesoni2 2020-01-02T19:51:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474148#M192450 <P>Like this:</P> <PRE><CODE>search yadda yadda yadda | eval time=strftime(strptime(time, "%H:%M:%S.%3M"), "%H%M%S%3M") | stats min(time) AS firstaction BY ldate | stats avg(firstaction) | fieldformat firstaction = replace(firstaction, "^(\d\d)(\d\d)(\d\d)", "\1:\2:\3.") </CODE></PRE> Thu, 02 Jan 2020 19:52:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474148#M192450 woodcock 2020-01-02T19:52:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474149#M192451 <P>@woodcock I'm trying to follow your SPL, but getting stuck. Should line 2 read:</P> <PRE><CODE>| eval time=strftime(strptime(_time, "%H:%M:%S.%3M"), "%H%M%S%3M") </CODE></PRE> Thu, 02 Jan 2020 20:41:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474149#M192451 mydog8it 2020-01-02T20:41:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474150#M192452 <P>I hate your data; try this:</P> <PRE><CODE>search yadda yadda yadda | stats earliest(time) as firstaction by ldate | rex field=time mode=sed "s/[:\.]//g" | stats avg(firstaction) | fieldformat firstaction = replace(firstaction, "^(\d\d)(\d\d)(\d\d)", "\1:\2:\3.") </CODE></PRE> Thu, 02 Jan 2020 20:50:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474150#M192452 woodcock 2020-01-02T20:50:00Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474151#M192453 <P>@woodcock It's not my data, or my question, just trying to learn from Master Yoda. I didn't follow the data in the question either, so I was using this to derive an answer...</P> <PRE><CODE>| makeresults | eval data="2-Jan-20 16:00:00,10;2-Jan-20 16:30:00,14;1-Jan-20 15:35:00,10;1-Jan-20 17:34:00,14;3-Jan-20 16:50:00,10;3-Jan-20 17:34:00,14" | makemv data delim=";" | mvexpand data | rex field=data "(\s|\n?)(?&lt;data&gt;.*)" | makemv data delim="," | eval _time=strptime(mvindex(data,0),"%d-%b-%y %H:%M:%S"), ErrorCount=mvindex(data,1) | fields _time ErrorCount | eval "Average Event Time"=strftime(avg_event_time, "%H:%M") | stats earliest(_time) as FirstAppearance by _time | bucket _time span=1d | stats avg(FirstAppearance) AS avg_FirstAppearance | eval "Average First Appearance"=strftime(avg_FirstAppearance, "%H:%M") | table "Average First Appearance" </CODE></PRE> Thu, 02 Jan 2020 21:03:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474151#M192453 mydog8it 2020-01-02T21:03:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474152#M192454 <P>So do you have a working solution or are you still having some trouble?</P> Thu, 02 Jan 2020 21:26:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474152#M192454 woodcock 2020-01-02T21:26:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474153#M192455 <PRE><CODE>| makeresults | eval _raw="ldate firstaction 2019-12-29 06:00:00.000 2019-12-30 09:00:00.000 2019-12-31 07:00:00.000" | multikv forceheader=1 | table ldate firstaction | rename COMMENT as "this is sample you provided" | rename COMMENT as "from here, the logic" | eval temp=substr(firstaction,1,8) | convert dur2sec(temp) | stats mean(temp) as firstaction_avg | eval firstaction_avg = tostring(firstaction_avg,"duration") </CODE></PRE> <P>Since the search result is a character string once, it needs to be changed to time .<BR /> This is the query to convert from your search results.</P> Thu, 02 Jan 2020 21:39:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-the-average-time-by-day-of-an-event/m-p/474153#M192455 to4kawa 2020-01-02T21:39:48Z