https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230455#M68319 <P>It seems a good try, but where I should set the duration of 5 minutes per event?</P> <P>Also, I check it in my code, and there is a new field called new_duration, which is good, but I don't know why, TotalDuration appears empty :S </P> <P>I have problem with sum(X) and avg(X) with stats, I think they worked but my results appear empty the most of times, and I don't understand why.</P> <P>Thanks a lot, you're being really helpful! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 Jan 2016 08:42:10 GMT marina_rovira 2016-01-13T08:42:10Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230452#M68316 <P>Hello all,</P> <P>I'm making an alerts report and by now, I have the total number of Alerts for a month, let's set it as 10,000.<BR /> Now, I want to set an estimated time spent for all these alerts. To do that, I need to create a field with the value of 5 minutes for each Alert (is more or less the time I think the people spent handling this).</P> <P>I want to set it for then, sum up the field for each event and get the estimated time as 10,000 alerts * 5 minutes (+or-) for alert = 50,000 minutes ~ 833 hours </P> <P>For now, I've done this and it seems to work:</P> <PRE><CODE>| eval startofevent=strptime(strftime(_time, "%Y/%m/%d 00:00:00"), "%Y/%m/%d %H:%M:%S") | eval endofevent=strptime(strftime(_time, "%Y/%m/%d 00:05:00"), "%Y/%m/%d %H:%M:%S") | eval new_duration=endofevent-startofevent | stats count(Alert) as TotalAlerts sum(new_duration) as Total_time | eval TotalDuration = tostring(Total_time, "duration") | table TotalAlerts,TotalDuration </CODE></PRE> <P>It give the result as <CODE>DD+HH:MM:SS.00000</CODE> and I would like it without <CODE>.00000</CODE> or in some friendly format, so If someone has a suggestion to do it in a better way, it will be welcomed! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thank you! </P> Tue, 12 Jan 2016 15:51:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230452#M68316 marina_rovira 2016-01-12T15:51:26Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230453#M68317 <P>I might be misunderstanding your requirement... but why don't you just do an eval after your stats count?</P> <PRE><CODE>... | stats count(Alert) as TotalAlerts | eval Total_time = TotalAlerts * 5 </CODE></PRE> <P>If this doesn't work for you please explain further your requirement.</P> Tue, 12 Jan 2016 16:06:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230453#M68317 aholzer 2016-01-12T16:06:08Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230454#M68318 <P>You could try something like this</P> <PRE><CODE>... | streamstats range(_time) as new_duration | stats count(Alert) as TotalAlerts sum(new_duration) as Total_time | eval Total_time =tostring(round(Total_time , 0), "duration") | table TotalAlerts,TotalDuration </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Streamstats</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonstatsfunctions">http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonstatsfunctions</A></P> Tue, 12 Jan 2016 16:10:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230454#M68318 sundareshr 2016-01-12T16:10:03Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230455#M68319 <P>It seems a good try, but where I should set the duration of 5 minutes per event?</P> <P>Also, I check it in my code, and there is a new field called new_duration, which is good, but I don't know why, TotalDuration appears empty :S </P> <P>I have problem with sum(X) and avg(X) with stats, I think they worked but my results appear empty the most of times, and I don't understand why.</P> <P>Thanks a lot, you're being really helpful! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 Jan 2016 08:42:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230455#M68319 marina_rovira 2016-01-13T08:42:10Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230456#M68320 <P>It's something like this, I've tried, but I think the final result is not correct. Maybe because we are not setting that this 5 is 5 minutes or I don't knwo why. I keep trying this <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thanks! </P> Wed, 13 Jan 2016 08:48:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230456#M68320 marina_rovira 2016-01-13T08:48:46Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230457#M68321 <P>Try this</P> <PRE><CODE>| stats count as TotalAlerts | eval Total_time = tostring(TotalAlerts*5, "duration") | table TotalAlerts, Total_time </CODE></PRE> Wed, 13 Jan 2016 12:40:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230457#M68321 sundareshr 2016-01-13T12:40:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230458#M68322 <P>I saw you had another question about finding the average. If this is related, I would change the search to this </P> <PRE><CODE> | stats count as TotalAlerts | eval Total_time = TotalAlerts*5 | stats avg(Total_time) as AvgTime | fieldformat AvgTime =tostring(AvgTime, "duration") </CODE></PRE> Wed, 13 Jan 2016 13:09:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230458#M68322 sundareshr 2016-01-13T13:09:02Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230459#M68323 <P>At this one the average is not a theme. I tried what you said before and the results are these:</P> <P>TotalAlerts Total_time<BR /> 25211 1+11:00:55 </P> <P>I want to set a new field of 5 minuts for each alert, but the results doesn't seems realistic to me, I mean 5 minuts for 25211 alerts, seems quite difficult that the total spent time handling alerts is 1 day and 11 hours :S</P> Wed, 13 Jan 2016 13:46:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230459#M68323 marina_rovira 2016-01-13T13:46:01Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230460#M68324 <P>I was calculating and I think I am wrong and the result is correct like this. I just realised, if now I am correct, that it let's the time in seconds although I'm setting 5 minutes. And calculating (((Total_time/60)/60)/24) It give this "1+11:00:55"</P> <P>I get it! Thanks for you comments! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 Jan 2016 13:50:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-new-field-and-set-it-with-a-value-of-5-minutes/m-p/230460#M68324 marina_rovira 2016-01-13T13:50:09Z