https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306880#M92061 <P>The tstats command doesn't support _time aggregations except for min/max. Give this version a try</P> <PRE><CODE>| tstats count WHERE index=* OR index=_* by _time _indextime index| eval latency=abs(_indextime-_time) | stats sum(latency) as sum sum(count) as count by index| eval avg=sum/count </CODE></PRE> <P><STRONG>Update</STRONG><BR /> Thanks @rjthibod for pointing the auto rounding of _time. If you've want to measure latency to rounding to 1 sec, use above version. If you want more precide, to the millisecond, use this version.</P> <PRE><CODE>| tstats count WHERE index=* OR index=_* by _time _indextime index span=1ms | eval latency=abs(_indextime-_time) | stats sum(latency) as sum sum(count) as count by index| eval avg=sum/count </CODE></PRE> <P>You can specify Time scale in <CODE>microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)</CODE> for more precision.</P> Mon, 22 May 2017 17:16:39 GMT somesoni2 2017-05-22T17:16:39Z https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306878#M92059 <P>Hi,</P> <P>I'd like to calculate the average latency (_indextime-_time) with the tstats command, but I can not make it work:</P> <PRE><CODE>| tstats avg(_indextime-_time) where (index=* OR index=_*) by index </CODE></PRE> <P>Splunk thinks "_indextime-_time" is a field name. How can I compute the difference in the tstats?</P> <P>Thank you</P> Tue, 29 Sep 2020 14:10:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306878#M92059 ctaf 2020-09-29T14:10:12Z https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306879#M92060 <P>You cannot do that kind of eval in <CODE>tstats</CODE> and <CODE>tstats</CODE> cannot be used to get the individual events out like you would need to.</P> <P>Instead, you have to do this without <CODE>tstats</CODE></P> <PRE><CODE>(index=* OR index=_*) | fields _time index _indextime | fields - _raw | stats avg(eval(_indextime - _time)) as avg by index </CODE></PRE> Mon, 22 May 2017 15:46:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306879#M92060 rjthibod 2017-05-22T15:46:29Z https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306880#M92061 <P>The tstats command doesn't support _time aggregations except for min/max. Give this version a try</P> <PRE><CODE>| tstats count WHERE index=* OR index=_* by _time _indextime index| eval latency=abs(_indextime-_time) | stats sum(latency) as sum sum(count) as count by index| eval avg=sum/count </CODE></PRE> <P><STRONG>Update</STRONG><BR /> Thanks @rjthibod for pointing the auto rounding of _time. If you've want to measure latency to rounding to 1 sec, use above version. If you want more precide, to the millisecond, use this version.</P> <PRE><CODE>| tstats count WHERE index=* OR index=_* by _time _indextime index span=1ms | eval latency=abs(_indextime-_time) | stats sum(latency) as sum sum(count) as count by index| eval avg=sum/count </CODE></PRE> <P>You can specify Time scale in <CODE>microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)</CODE> for more precision.</P> Mon, 22 May 2017 17:16:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306880#M92061 somesoni2 2017-05-22T17:16:39Z https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306881#M92062 <P>I think this approach will always round <CODE>_time</CODE> to the closet second, hence throwing off the answers. Double-check by running this </P> <P><CODE>| tstats count WHERE index=* OR index=_* by _time _indextime index | rename _time as time</CODE></P> Mon, 22 May 2017 17:45:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306881#M92062 rjthibod 2017-05-22T17:45:22Z https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306882#M92063 <P>@ctaf, you might want to reconsider. As my other comment says, this approach rounds off the <CODE>_time</CODE> field to the nearest second.</P> <P>Here is a quick test: run the command @somesoni2 gave and then run mine . If you get two difference answers for the average, then there is a problem. The <CODE>tstats</CODE> approach would be faster and better if it didn't round off <CODE>_time</CODE>.</P> Wed, 24 May 2017 11:52:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306882#M92063 rjthibod 2017-05-24T11:52:36Z https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306883#M92064 <PRE><CODE>| tstats earliest(_time) as etime where index=* by index _indextime | eval delta=(etime-_indextime)/60 | eval _time=_indextime | timechart span=10m min(delta) by index limit=0 </CODE></PRE> Thu, 08 Nov 2018 11:15:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compute-indextime-time-difference-average-with-tstats/m-p/306883#M92064 nunoaragao 2018-11-08T11:15:58Z