Display daily runtime averages by month

fisuser1 · ‎06-30-2016

Currently displaying daily run time averages, however I want to show averages by month and week as well. Any suggestions to edits to make this work?

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)  | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null)  | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")  | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")  | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration(seconds)=(EndTime - StartTime)/1000  | stats  avg(Duration(seconds)) as AvgDayendTime by ClientName | eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

woodcock · ‎06-30-2016

First of all, try this search to replace your existing one:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| stats  avg(Duration_seconds) as AvgDayendTime BY ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

Then this for monthly:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| bucket _time span=1mon
| stats  avg(Duration_seconds) as AvgDayendTime BY _time ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

For weekly, just change 1mon to 1w.

fisuser1 · ‎06-30-2016

I get "No results found." when attempting to run your search you included.

My search produces expected results.

ClientName AvgDayendTime
Joes 02:31:25.571429

woodcock · ‎06-30-2016

I had a typo. I updated my answer so try again.

fisuser1 · ‎06-30-2016

same result. does not pull back any events.

No results found.

woodcock · ‎06-30-2016

Try changing to this:

streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID

sundareshr · ‎06-30-2016

That's what I meant 🙂

fisuser1 · ‎07-01-2016

still no luck with the modification.

No results found.

woodcock · ‎07-01-2016

I updated my answer again to make sure that the adjustment is integrated correctly. Does it still not work?

fisuser1 · ‎07-02-2016

Now seeing "Invalid number" when running.

woodcock · ‎07-02-2016

are you sure that you copied it correctly? That doesn't make sense to me.

fisuser1 · ‎07-02-2016

copy and pasted just fine

woodcock · ‎07-02-2016

By "just fine" you mean "invalid number", right?

sundareshr · ‎06-30-2016

Assuming UPROC is a field, you may need this change streamstats count(eval(isnotnull(UPROC="ZENDMAIL"))) AS SessionID

Display daily runtime averages by month

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Display daily runtime averages by month

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?