topic How do you find the avg time of transactions where the duration is longer than normal? in Splunk Search

How do you find the avg time of transactions where the duration is longer than normal?

WarpedMonkey — Tue, 17 Oct 2017 00:54:18 GMT

Hi! I'm trying to get the avg time of transactions where the duration is longer than normal. I can successfully do what I want in a appendcols clause, but it feels like hard work for something simple. The appendcols is added at the end to show you what I wanted to do.

index=ourindex APIRequestStart OR APIRequestStop 
| transaction uuid startswith="* - APIRequestStart" endswith="* - APIRequestStop" 
| timechart count(eval(duration>2)) AS "Number Slow Transactions", **avg(eval(duration>2)) AS "Avg Slow Transactions"**, count AS "Total Transactions", avg(duration) AS "Avg Transactions" span=1h 

| appendcols [search index=index_cesoa* APIRequestStart OR APIRequestStop 
| transaction uuid startswith="* - APIRequestStart" endswith="* - APIRequestStop" 
| where duration > 2 
| timechart avg(duration) AS "Working Avg Slow Transactions" span=1h]

Re: How do you find the avg time of transactions where the duration is longer than normal?

cmerriman — Tue, 17 Oct 2017 11:45:07 GMT

can you do this instead:

index=ourindex APIRequestStart OR APIRequestStop 
| transaction uuid startswith=" - APIRequestStart" endswith=" - APIRequestStop" 
|eval durationGT2=if(duration>2,duration,null())
| timechart count(durationGT2) AS "Number Slow Transactions", avg(durationGT2) AS "Avg Slow Transactions", count AS "Total Transactions", avg(duration) AS "Avg Transactions" span=1h

just add an eval to grab the durations you're looking for

Re: How do you find the avg time of transactions where the duration is longer than normal?

WarpedMonkey — Tue, 17 Oct 2017 13:39:26 GMT

Perfect! I knew it was dead easy. Thanks a lot!