Archive
Highlighted

Display daily runtime averages by month

Communicator

Currently displaying daily run time averages, however I want to show averages by month and week as well. Any suggestions to edits to make this work?

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)  | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null)  | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")  | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")  | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration(seconds)=(EndTime - StartTime)/1000  | stats  avg(Duration(seconds)) as AvgDayendTime by ClientName | eval  AvgDayendTime = tostring('AvgDayendTime', "duration")
0 Karma
Highlighted

Re: Display daily runtime averages by month

Esteemed Legend

First of all, try this search to replace your existing one:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| stats  avg(Duration_seconds) as AvgDayendTime BY ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

Then this for monthly:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| bucket _time span=1mon
| stats  avg(Duration_seconds) as AvgDayendTime BY _time ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

For weekly, just change 1mon to 1w.

0 Karma
Highlighted

Re: Display daily runtime averages by month

Communicator

I get "No results found." when attempting to run your search you included.

My search produces expected results.

ClientName AvgDayendTime
Joes 02:31:25.571429

0 Karma
Highlighted

Re: Display daily runtime averages by month

Esteemed Legend

I had a typo. I updated my answer so try again.

0 Karma
Highlighted

Re: Display daily runtime averages by month

Communicator

same result. does not pull back any events.

No results found.

0 Karma
Highlighted

Re: Display daily runtime averages by month

Legend

Assuming UPROC is a field, you may need this change streamstats count(eval(isnotnull(UPROC="ZENDMAIL"))) AS SessionID

0 Karma
Highlighted

Re: Display daily runtime averages by month

Esteemed Legend

Try changing to this:

streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
0 Karma
Highlighted

Re: Display daily runtime averages by month

Legend

That's what I meant 🙂

0 Karma
Highlighted

Re: Display daily runtime averages by month

Communicator

still no luck with the modification.

No results found.

0 Karma
Highlighted

Re: Display daily runtime averages by month

Esteemed Legend

I updated my answer again to make sure that the adjustment is integrated correctly. Does it still not work?

0 Karma