https://community.splunk.com/t5/Splunk-Search/Average-duration/m-p/108607#M28284 <P>What is the syntax to obtain the average duration for each severity type in a query? A field exists called app_duration=0d 0h 40m 3s. I need the average for each severity type.</P> <P>Thanks.</P> Tue, 24 May 2011 18:16:10 GMT DTERM 2011-05-24T18:16:10Z https://community.splunk.com/t5/Splunk-Search/Average-duration/m-p/108607#M28284 <P>What is the syntax to obtain the average duration for each severity type in a query? A field exists called app_duration=0d 0h 40m 3s. I need the average for each severity type.</P> <P>Thanks.</P> Tue, 24 May 2011 18:16:10 GMT https://community.splunk.com/t5/Splunk-Search/Average-duration/m-p/108607#M28284 DTERM 2011-05-24T18:16:10Z https://community.splunk.com/t5/Splunk-Search/Average-duration/m-p/108608#M28285 <P>First convert the <CODE>app_duration</CODE> to a format <EM>convert</EM> can use. Then, use convert to store <CODE>app_duration</CODE> in seconds. Next, average all seconds by <CODE>severity_type</CODE>. Finally, re-format <CODE>avg_app_duration</CODE> for each <CODE>severity_type</CODE> in the human readable format of HH:MM:SS. </P> <PRE><CODE>eval app_duration=replace(replace(replace(app_duration,"d\s","+"),"h|m|s",""),"\s",":") | convert dur2sec(app_duration) | stats avg(app_duration) as avg_app_duration by severity_type | eval avg_app_duration=tostring(round(avg_app_duration,0),"duration") </CODE></PRE> Tue, 24 May 2011 18:51:36 GMT https://community.splunk.com/t5/Splunk-Search/Average-duration/m-p/108608#M28285 bwooden 2011-05-24T18:51:36Z