https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143746#M39947 <P>I have this indexed field which is read by splunk as a string, I need the average length, but the data has no Day, month or year, just time. </P> <P>Example data :<BR /> 03:20:15<BR /> 02:45:07<BR /> 03:12:00<BR /> 04:05:23</P> <P>How do I convert these so Splunk can get the average?? </P> <P>Thanks in advance! </P> Sun, 26 Jul 2015 15:49:42 GMT vtsguerrero 2015-07-26T15:49:42Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143746#M39947 <P>I have this indexed field which is read by splunk as a string, I need the average length, but the data has no Day, month or year, just time. </P> <P>Example data :<BR /> 03:20:15<BR /> 02:45:07<BR /> 03:12:00<BR /> 04:05:23</P> <P>How do I convert these so Splunk can get the average?? </P> <P>Thanks in advance! </P> Sun, 26 Jul 2015 15:49:42 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143746#M39947 vtsguerrero 2015-07-26T15:49:42Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143747#M39948 <P>May be do an eval and convert them to total seconds into a new field.. and do average on the new field.</P> Sun, 26 Jul 2015 16:26:15 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143747#M39948 pradeepkumarg 2015-07-26T16:26:15Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143748#M39949 <P>What function could I use to convert em with an eval? I mean, I dont have the full date...</P> Sun, 26 Jul 2015 17:30:01 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143748#M39949 vtsguerrero 2015-07-26T17:30:01Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143749#M39950 <P>One method could be to use the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/convert">convert</A> command to change the field from a duration into to seconds, then average with some form of stats, and if necessary use the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonEvalFunctions">tostring</A> function in an <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/eval">eval</A> to change back to duration format.</P> <PRE><CODE>... | convert dur2sec(field) | stats avg(field) as field | eval field=tostring(round(field),"duration") </CODE></PRE> <P>Now with any solution there are some assumptions of your data, with this convert method, it assumes that</P> <UL> <LI>No fractional seconds are present e.g. "01:02:03.456" would not work</LI> <LI>Days are specified as "D+" e.g. "1+0:0:1" will work but "1:0:0:1" will not</LI> <LI>Hours and minutes respect their respective moduli (0-23 hours, 0-59 minutes)</LI> </UL> <P>If your data doesn't conform to this, then you could craft your own regular expression and use <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/rex">rex</A> command to pull out the pieces and use an eval to combine into seconds:</P> <PRE><CODE>... | rex field=field "^(?&lt;dur_h&gt;\d+):(?&lt;dur_m&gt;\d+):(?&lt;dur_s&gt;\d+(?:\.\d+)?)$" | eval dur = (dur_h*60 + dur_m)*60 + dur_s | stats avg(dur) as field </CODE></PRE> Sun, 26 Jul 2015 18:38:20 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143749#M39950 acharlieh 2015-07-26T18:38:20Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143750#M39951 <P>Thanks a lot @acharlieh ♦ !<BR /> Worked perfectly!<BR /> Just tryin' now to get the difference from the last head 1 event duration to the average duration.<BR /> With the average and the last event I shall get the deviation to generate a red, yellow or green status.<BR /> Thanks!</P> Mon, 27 Jul 2015 13:24:22 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-use-Stats-Avg-On-a-Datetime-Field/m-p/143750#M39951 vtsguerrero 2015-07-27T13:24:22Z