Currently displaying daily run time averages, however I want to show averages by month and week as well. Any suggestions to edits to make this work?
sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null) | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S") | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S") | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration(seconds)=(EndTime - StartTime)/1000 | stats avg(Duration(seconds)) as AvgDayendTime by ClientName | eval AvgDayendTime = tostring('AvgDayendTime', "duration")
First of all, try this search to replace your existing one:
sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| stats avg(Duration_seconds) as AvgDayendTime BY ClientName
| eval AvgDayendTime = tostring('AvgDayendTime', "duration")
Then this for monthly:
sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null)
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| bucket _time span=1mon
| stats avg(Duration_seconds) as AvgDayendTime BY _time ClientName
| eval AvgDayendTime = tostring('AvgDayendTime', "duration")
For weekly, just change 1mon
to 1w
.
I get "No results found." when attempting to run your search you included.
My search produces expected results.
ClientName AvgDayendTime
Joes 02:31:25.571429
I had a typo. I updated my answer so try again.
same result. does not pull back any events.
No results found.
Try changing to this:
streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
That's what I meant 🙂
still no luck with the modification.
No results found.
I updated my answer again to make sure that the adjustment is integrated correctly. Does it still not work?
Now seeing "Invalid number" when running.
are you sure that you copied it correctly? That doesn't make sense to me.
copy and pasted just fine
By "just fine" you mean "invalid number", right?
Assuming UPROC
is a field, you may need this change streamstats count(eval(isnotnull(UPROC="ZENDMAIL"))) AS SessionID