Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Display daily runtime averages by month

fisuser1
Contributor
‎06-30-2016 06:37 AM

Currently displaying daily run time averages, however I want to show averages by month and week as well. Any suggestions to edits to make this work? 

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes | eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)  | eval EndTime=if(UPROC="ZENDMAIL",EndTime,null)  | eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")  | eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")  | transaction startswith="UPROC=ZSTRTMAIL" endswith="UPROC=ZENDMAIL" | eval Duration(seconds)=(EndTime - StartTime)/1000  | stats  avg(Duration(seconds)) as AvgDayendTime by ClientName | eval  AvgDayendTime = tostring('AvgDayendTime', "duration")
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2016 06:58 AM

First of all, try this search to replace your existing one:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| stats  avg(Duration_seconds) as AvgDayendTime BY ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

Then this for monthly:

sourcetype=PROFILE_DAYEND_STATS (UPROC="ZSTRTMAIL" OR UPROC="ZENDMAIL") ClientName=Joes
| eval StartTime=if(UPROC="ZSTRTMAIL",StartTime,null)
| eval EndTime=if(UPROC="ZENDMAIL",EndTime,null) 
| eval Start=StartDate." ".strftime(StartTime/1000,"%H:%M:%S")
| eval End=EndDate." ".strftime(EndTime/1000,"%H:%M:%S")
| reverse
| streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
| stats values(*) AS * BY SessionID
| eval Duration_seconds=(EndTime - StartTime)/1000
| bucket _time span=1mon
| stats  avg(Duration_seconds) as AvgDayendTime BY _time ClientName
| eval  AvgDayendTime = tostring('AvgDayendTime', "duration")

For weekly, just change 1mon to 1w.

0 Karma
Reply

fisuser1
Contributor
‎06-30-2016 07:12 AM

I get "No results found." when attempting to run your search you included.

My search produces expected results.

ClientName AvgDayendTime
Joes 02:31:25.571429

0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2016 07:16 AM

I had a typo. I updated my answer so try again.

0 Karma
Reply

fisuser1
Contributor
‎06-30-2016 07:21 AM

same result. does not pull back any events.

No results found.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2016 07:40 AM

Try changing to this:

streamstats count(eval(UPROC="ZENDMAIL")) AS SessionID
0 Karma
Reply

sundareshr
Legend
‎06-30-2016 07:59 AM

That's what I meant 🙂

0 Karma
Reply

fisuser1
Contributor
‎07-01-2016 04:23 AM

still no luck with the modification.

No results found.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2016 08:10 AM

I updated my answer again to make sure that the adjustment is integrated correctly. Does it still not work?

0 Karma
Reply

fisuser1
Contributor
‎07-02-2016 05:50 AM

Now seeing "Invalid number" when running.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2016 06:17 AM

are you sure that you copied it correctly? That doesn't make sense to me.

0 Karma
Reply

fisuser1
Contributor
‎07-02-2016 06:24 AM

copy and pasted just fine

0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2016 07:14 AM

By "just fine" you mean "invalid number", right?

0 Karma
Reply

sundareshr
Legend
‎06-30-2016 07:21 AM

Assuming UPROC is a field, you may need this change streamstats count(eval(isnotnull(UPROC="ZENDMAIL"))) AS SessionID

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...