Splunk Search

Adding avg and changing min to minutes

eb1929
Explorer

Ill start off i am newer to splunk.... 

 

I am using the following search 

index=server source="WinEvent" EventCode=1234 OR EventCode=5678
| eval locked_account_name=mvindex(Account_Name, 1)
| eval account_that_unlokcedit=mvindex(Security_ID, 0)
| transaction startswith="locked out" endswith="unlocked"
| stats sum(duration) as duration by locked_account_name account_that_unlokcedit
| eval min=duration/60
| eval min=round(min,2)
| search account_that_unlokcedit=*APP1234* OR account_that_unlokcedit=*z_xxx* OR account_that_unlokcedit=*APP56789*

 

I need to chang the min column to minutes..... then i need to get the average of that column(minutes) and put the average in its own column  

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
...
| rename min as minutes
| eventstats avg(minutes) as avgMinutes
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
...
| rename min as minutes
| eventstats avg(minutes) as avgMinutes
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...