Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate in customized query the response time from the logs below?

Ash1
Communicator
‎11-28-2022 11:42 AM

Hi All.
I am trying to calculate the response time from the logs below.

11-12-2019 23:34:45, 678 this event will calculate the sign in and sign out of the application, Success,=67, failed=121, |sumsuo=1.0|CompleteTime=100sec
11-12-2019 23:34:45, 678 this event will calculate the sign in and sign out of the application, Success,=67, failed=121, |sumsuo=1.0|CompleteTime=10sec
11-12-2019 23:34:45, 678 this event will calculate the sign in and sign out of the application, Success,=67, failed=121, |sumsuo=1.0|CompleteTime=50sec
11-12-2019 23:34:45, 678 this event will calculate the sign in and sign out of the application, Success,=67, failed=121, |sumsuo=1.0|CompleteTime=40sec
11-12-2019 23:34:45, 678 this event will calculate the sign in and sign out of the application, Success,=67, failed=121, |sumsuo=1.0|CompleteTime=130sec

 

 

 

|tstats count where index=xxxx host=abc OR host=cvb OR host=dgf OR host=ujh sourcetype=xxxx  by PREFIX(completetime=)
|rename completetime= as Time
|timechart span=1d avg(Time) by host
|eval ResTime =round(,Time2)

 




When i am trying to run this query i am not bale to calculate the average of time because when i am doing PREFIX(completetime=) here sec word is also taking up.
How can i ignore it.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-28-2022 02:06 PM

Use the tonumber() function to extract only the digits from the Time field.

 

|tstats count where index=xxxx host=abc OR host=cvb OR host=dgf OR host=ujh sourcetype=xxxx  by PREFIX(CompleteTime=)
|rename CompleteTime as Time
|eval Time=tonumber(Time)
|timechart span=1d avg(Time) as ResTime by host
|eval ResTime =round(ResTime, 2)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Ash1
Communicator
‎11-28-2022 02:26 PM

@richgalloway ,
when i tried to give tonumber i am still seeing Sec
|evak Time=tonumber(Time)

 

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2022 05:24 AM

In that case, try this alternative that uses rex to extract only the digits from Time.

|tstats count where index=xxxx host=abc OR host=cvb OR host=dgf OR host=ujh sourcetype=xxxx  by PREFIX(CompleteTime=)
|rename CompleteTime as Time
|rex field=Time "(?<Time>\d+)"
|timechart span=1d avg(Time) as ResTime by host
|eval ResTime =round(ResTime, 2)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...