https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195547#M56386 <P>Thisis awesome. Thank you. I need to only the results of the search above if any of the durations of the specific job name are greater the average by 40% or more. Do I need to create a whole new search?</P> Fri, 17 Jul 2015 15:05:21 GMT zd00191 2015-07-17T15:05:21Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195538#M56377 <PRE><CODE>index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" | transaction JOB_NAME startswith="START*" unifyends=true | eval durationNew=duration |eval x=tostring(duration,"duration") |stats count(JOB_NAME) AS "Job_Run_Total" avg(x) by JOB_NAME </CODE></PRE> <P>I have the search above. I want to find all the transactions. After getting all the transactions, calculate the average duration by job name (the trans id) and then display a table with the job_name, # of transactions , and the average duration </P> <P>Please help. Thanks!</P> Wed, 08 Jul 2015 13:51:32 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195538#M56377 zd00191 2015-07-08T13:51:32Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195539#M56378 <P>Try this instead (much faster)</P> <PRE><CODE> index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" |stats earliest(_time) AS start_time latest(_time) AS end_time count AS "Events In Job" BY JOB_NAME | eval duration=end_time-start_time </CODE></PRE> <P>Then you can add this to the end, too:</P> <PRE><CODE>| stats avg(duration) avg(Events In Job) </CODE></PRE> Wed, 08 Jul 2015 14:00:34 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195539#M56378 woodcock 2015-07-08T14:00:34Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195540#M56379 <P>Thanks for responding. I want the table to look like this.</P> <P>Job Name Job Run Total Average duration</P> <P>Job names should not show up twice. The job run total is the number of transactions for that job name. The average duration is the average duration of the number of transactions by job name.</P> Wed, 08 Jul 2015 14:04:04 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195540#M56379 zd00191 2015-07-08T14:04:04Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195541#M56380 <P>I assumed that "JOB_NAME" is unique and if it is not, my approach cannot be made to work but this should:</P> <PRE><CODE>index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" | transaction JOB_NAME startswith="START*" unifyends=true | stats count AS "Job Run Total" avg(duration) AS "Average duration" BY JOB_NAME | rename "JOB_NAME" AS "Job Name" </CODE></PRE> <P>This is pretty much the same as what you did; does it not work as you expect?</P> Wed, 08 Jul 2015 14:38:47 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195541#M56380 woodcock 2015-07-08T14:38:47Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195542#M56381 <P>I actually got it working with this. I just need to trim all the extra zeros on the end of the average duration.`</P> <PRE><CODE> index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" | transaction JOB_NAME startswith="START*" unifyends=true | eval durationNew=duration |stats count(JOB_NAME) AS "Job_Run_Total" avg(durationNew) as x by JOB_NAME |eval "Average Duration(hh:mm:ss)" = tostring(x, "duration") |table JOB_NAME Job_Run_Total "Average Duration(hh:mm:ss)" </CODE></PRE> Wed, 08 Jul 2015 14:42:07 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195542#M56381 zd00191 2015-07-08T14:42:07Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195543#M56382 <P>Got it. </P> <PRE><CODE>index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="$System$" | transaction JOB_NAME startswith="START*" unifyends=true | eval durationNew=duration |stats count(JOB_NAME) AS "Job_Run_Total" avg(durationNew) as x by JOB_NAME |eval y = tostring(x, "duration") |eval "Average Duration(hh:mm:ss)"=substr(y, 1,8) |table JOB_NAME Job_Run_Total "Average Duration(hh:mm:ss)" </CODE></PRE> Wed, 08 Jul 2015 14:46:30 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195543#M56382 zd00191 2015-07-08T14:46:30Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195544#M56383 <P>Thanks for your help though!</P> Wed, 08 Jul 2015 14:46:38 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195544#M56383 zd00191 2015-07-08T14:46:38Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195545#M56384 <P>This is the answer to the question above.</P> <PRE><CODE> index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="$System$" | transaction JOB_NAME startswith="START*" unifyends=true | eval durationNew=duration |stats count(JOB_NAME) AS "Job_Run_Total" avg(durationNew) as x by JOB_NAME |eval y = tostring(x, "duration") |eval "Average Duration(hh:mm:ss)"=substr(y, 1,8) |table JOB_NAME Job_Run_Total "Average Duration(hh:mm:ss)" </CODE></PRE> Wed, 08 Jul 2015 14:47:09 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195545#M56384 zd00191 2015-07-08T14:47:09Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195546#M56385 <P>Cleaning it up a bit for you gives - </P> <PRE><CODE>index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="$System$" | transaction JOB_NAME startswith="START*" unifyends=true | eval durationNew=duration | stats count AS "Job_Run_Total" avg(durationNew) as duration by JOB_NAME | eval duration = tostring(duration, "duration") | eval duration=substr(duration,1,8) | table JOB_NAME Job_Run_Total duration | rename duration as "Average Duration(hh:mm:ss)" </CODE></PRE> <P>little things like <CODE>stats count(foo) by foo</CODE> is redundant and always the same as <CODE>stats count by foo</CODE>, and just simplifying your eval's a bit. cheers. </P> Fri, 10 Jul 2015 07:13:39 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195546#M56385 sideview 2015-07-10T07:13:39Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195547#M56386 <P>Thisis awesome. Thank you. I need to only the results of the search above if any of the durations of the specific job name are greater the average by 40% or more. Do I need to create a whole new search?</P> Fri, 17 Jul 2015 15:05:21 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195547#M56386 zd00191 2015-07-17T15:05:21Z https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195548#M56387 <P>You should "Accept" an answer (even if it is one you add which says "I figured it out", like you just said in your last comment) to close out the Question.</P> Fri, 17 Jul 2015 15:38:12 GMT https://community.splunk.com/t5/Splunk-Search/Average-transaction-duration-by-unique-transaction-id/m-p/195548#M56387 woodcock 2015-07-17T15:38:12Z