Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the Average of the Time coming in sec

aditsss
Motivator
‎05-31-2021 10:46 PM

Hi Everyone,

I am getting total time taken field as shown below in my logs

on_1621717537363_2611781,3497 secs,Passed,,E3

621717537363_2611790,926 secs,Passed,,E3

I want to calculate its Average. I tried with this query but its not working:

index=abc source="/xyz"|eval fields=split(_raw,",")|eval job_id=mvindex(fields,0)|eval sourceType=mvindex(fields,1)|eval inputFilePath=mvindex(fields,2)|eval tableName=mvindex(fields,3)|eval inputRecordsCount=mvindex(fields,4)|eval processedRecordsCount=mvindex(fields,5)|eval startTime=mvindex(fields,6)|eval endTime=mvindex(fields,7)|eval loadAppendTimestampCol=mvindex(fields,8)|eval refreshType=mvindex(fields,9)|eval className=mvindex(fields,10)|eval applicationId=mvindex(fields,11)|eval totalTimeTaken=mvindex(fields,12)|eval status=mvindex(fields,13)|eval errorMessage=mvindex(fields,14)|eval Environment=mvindex(fields,15)|stats avg(totalTimeTaken) as AvgExecTime |eval AvgExecTime=round(AvgExecTime,2)

Can someone guide me on this.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 11:15 PM

Add this after the mvindex line for totalTimeTaken

| rex field=totalTimeTaken "(?<totalTimeTaken>\d+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 11:15 PM

Add this after the mvindex line for totalTimeTaken

| rex field=totalTimeTaken "(?<totalTimeTaken>\d+)"
Reply
Solved! Jump to solution

aditsss
Motivator
‎05-31-2021 11:55 PM

@ITWhisperer 

why its not working with Timechart when I am using below query:

index=abc source="xyz"|eval fields=split(_raw,",")|eval job_id=mvindex(fields,0)|eval sourceType=mvindex(fields,1)|eval inputFilePath=mvindex(fields,2)|eval tableName=mvindex(fields,3)|eval inputRecordsCount=mvindex(fields,4)|eval processedRecordsCount=mvindex(fields,5)|eval startTime=mvindex(fields,6)|eval endTime=mvindex(fields,7)|eval loadAppendTimestampCol=mvindex(fields,8)|eval refreshType=mvindex(fields,9)|eval className=mvindex(fields,10)|eval applicationId=mvindex(fields,11)|eval totalTimeTaken=mvindex(fields,12)|rex field=totalTimeTaken "(?<totalTimeTaken>\d+)"|eval status=mvindex(fields,13)|eval errorMessage=mvindex(fields,14)|eval Environment=mvindex(fields,15)|where Environment ="E3"|dedup job_id startTime endTime totalTimeTaken|timechart sum(totalTimeTaken) as TotalExecTime by job_id |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime limit=10

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎05-31-2021 11:34 PM

@ITWhisperer 

This will give me average in seconds or in minutes?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 11:37 PM

Seconds (inferred from the "secs" in the data)

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎05-31-2021 11:11 PM

Hi

this should work.

| makeresults 
| eval _raw = "
on_1621717537363_2611781,3497 secs,Passed,,E3
621717537363_2611790,926 secs,Passed,,E3"
| multikv noheader=t
 ```above generates sample data```
| rex ",(?<secs>\d+) secs,"
| stats avg(secs) as AvgExecTime

 r. Ismo

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...