https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225807#M66594 <P>So I have the following search:</P> <PRE><CODE>Index="Cyber" sourcetype=Response queue = "Incident" status ="resolved" | dedup ticket | table Date_Created, Acknowledge_Date | eval epoch1=strptime(Date_Created,"%Y-%m-%d %H:%M:%S") | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Date_Created) as epochDateCreated | eval epoch2=strptime(Acknowledge_Date,"%Y-%m-%d %H:%M:%S") | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Acknowledge_Date) as epochAck | eval Diff=(epochAck-epochDateCreated) |stats avg(Diff) </CODE></PRE> <P>I now have an average time it takes to acknowledge an incident in epoch format. However, I cannot use Strftime once the figure has already been averaged. Is there a way around this?</P> Thu, 12 Nov 2015 09:46:31 GMT mjd555 2015-11-12T09:46:31Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225807#M66594 <P>So I have the following search:</P> <PRE><CODE>Index="Cyber" sourcetype=Response queue = "Incident" status ="resolved" | dedup ticket | table Date_Created, Acknowledge_Date | eval epoch1=strptime(Date_Created,"%Y-%m-%d %H:%M:%S") | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Date_Created) as epochDateCreated | eval epoch2=strptime(Acknowledge_Date,"%Y-%m-%d %H:%M:%S") | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Acknowledge_Date) as epochAck | eval Diff=(epochAck-epochDateCreated) |stats avg(Diff) </CODE></PRE> <P>I now have an average time it takes to acknowledge an incident in epoch format. However, I cannot use Strftime once the figure has already been averaged. Is there a way around this?</P> Thu, 12 Nov 2015 09:46:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225807#M66594 mjd555 2015-11-12T09:46:31Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225808#M66595 <P>Try this</P> <PRE><CODE>... | stats avg(Diff) AS avgDiff | fieldformat avgDiff=tostring(avgDiff, "duration") | ... </CODE></PRE> Thu, 12 Nov 2015 18:32:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225808#M66595 richgalloway 2015-11-12T18:32:30Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225809#M66596 <P><EM>confetti</EM> @richgalloway <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I just noticed my upvote put you over the 10,000 karma milestone. Congrats and well deserved!</P> Fri, 13 Nov 2015 00:37:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225809#M66596 ppablo 2015-11-13T00:37:49Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225810#M66597 <P>Thanks, ppablo!</P> Fri, 13 Nov 2015 01:13:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225810#M66597 richgalloway 2015-11-13T01:13:12Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225811#M66598 <P>Added more :confetti: to the party !!!!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 13 Nov 2015 01:16:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225811#M66598 MuS 2015-11-13T01:16:53Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225812#M66599 <P>Afraid this didn't work as it just returned a blank value</P> Wed, 18 Nov 2015 13:39:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225812#M66599 mjd555 2015-11-18T13:39:50Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225813#M66600 <P>I just noticed a typo in the fieldformat command. Try the new answer. If it still doesn't work, please post your new search.</P> Wed, 18 Nov 2015 14:08:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225813#M66600 richgalloway 2015-11-18T14:08:13Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225814#M66601 <P>Perfect, that has given me an answer of: 03:25:04.487179 </P> <P>Is there a way to round this?</P> Wed, 18 Nov 2015 14:16:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225814#M66601 mjd555 2015-11-18T14:16:00Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225815#M66602 <P>Try substr. Adjust the second number to get the length you want.</P> <PRE><CODE>... | eval avgDiff=substr(avgDiff, 1, 8) | ... </CODE></PRE> Wed, 18 Nov 2015 14:31:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225815#M66602 richgalloway 2015-11-18T14:31:45Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225816#M66603 <P>Amazing, thanks for your help!!</P> Wed, 18 Nov 2015 14:36:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225816#M66603 mjd555 2015-11-18T14:36:37Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225817#M66604 <P>Please accept the answer.</P> Wed, 18 Nov 2015 14:40:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-epoch-time-to-HH-MM-SS-AFTER-using-stats-AVG/m-p/225817#M66604 richgalloway 2015-11-18T14:40:00Z