https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311623#M93378 <P>Have you validated BBB and AAAA values are different or not?<BR /> Can you add few data samples?</P> Mon, 20 Feb 2017 16:31:58 GMT niketn 2017-02-20T16:31:58Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311620#M93375 <P>Hi, </P> <P>I try to realize an average enter 2 fields which appear in the form of D+HH:MM:SS so i converted with dur2sec. But the result is 0 i don't understand why. Can you help me to find why ? Thanks you.</P> <P>| convert dur2sec(AAAA) <BR /> | convert dur2sec(BBB) <BR /> |stats sum(AAA) as C sum(BBB) as D dc(E) as F<BR /> | eval temps=D-C | eval moyen= temps/F<BR /> | fields moyen</P> Mon, 20 Feb 2017 15:24:32 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311620#M93375 Abarny 2017-02-20T15:24:32Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311621#M93376 <P>What is field E? Counting a field that doesn't exist will make F=0</P> Mon, 20 Feb 2017 16:17:02 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311621#M93376 richgalloway 2017-02-20T16:17:02Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311622#M93377 <P>This field exist, E is an unique identifier on 1 event</P> Mon, 20 Feb 2017 16:22:56 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311622#M93377 Abarny 2017-02-20T16:22:56Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311623#M93378 <P>Have you validated BBB and AAAA values are different or not?<BR /> Can you add few data samples?</P> Mon, 20 Feb 2017 16:31:58 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311623#M93378 niketn 2017-02-20T16:31:58Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311624#M93379 <P>Yes they are différents exemple : AAA = 2017-02-18 11:53:05<BR /> BBB = 2017-02-18 11:53:14</P> <P>But no i can't add data sample .. </P> Mon, 20 Feb 2017 16:37:10 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311624#M93379 Abarny 2017-02-20T16:37:10Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311625#M93380 <P>You said that your field values are in format <CODE>D+HH:MM:SS</CODE> (string formatted duration) but the sample values above shows that they are timestmap, which one is it? If it's timestamp then your convert dur2sec will fail and return 0/null. If they are timestamp, then give this a try</P> <PRE><CODE>...your base search | eval duration=strptime(BBB,"%Y-%m-%d %H:%M:%S")-strptime(AAA,"%Y-%m-%d %H:%M:%S") |stats sum(duration) as duration dc(E) as F | eval moyen= duration/F | fields moyen </CODE></PRE> Mon, 20 Feb 2017 16:55:07 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311625#M93380 somesoni2 2017-02-20T16:55:07Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311626#M93381 <P>Okay ! Thanks for your help ! </P> Mon, 20 Feb 2017 17:04:42 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311626#M93381 Abarny 2017-02-20T17:04:42Z https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311627#M93382 <P>Try this:</P> <PRE><CODE>| eval duration=strptime(BBB,"%Y-%m-%d %H:%M:%S") - strptime(AAA,"%Y-%m-%d %H:%M:%S") |stats savg(duration) AS moyen </CODE></PRE> Mon, 20 Feb 2017 17:07:56 GMT https://community.splunk.com/t5/Splunk-Search/Average-between-2-fields-D-HH-MM-SS/m-p/311627#M93382 woodcock 2017-02-20T17:07:56Z