Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Average Timespan
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a large amount of logs in the following format:
2014-07-30 14:23:51,802 - MyApp - 6 - INFO - Performance - process=Update, timeElapsed=00:00:00.0940611
I have a filter which displays only these entries:
Service=MyApp source="C:\Logs\MyApp-Performance.log" process=Update
Would someone be able to explain how I can update this go that it give me the average timeElapsed across all entries for the selected period?
Apologies, I'm new to this and have tried a few different things but can't seem to figure it out.
Thanks in advance,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
Service=MyApp source="C:\Logs\MyApp-Performance.log" process=Update| eval duration=strptime(timeElapsed,"%H:%M:%S.%6Q")-relative_time(now(),"@d") | stats avg(duration) as avgTimeElapsed
The field timeElapsed is string to need to convert it to seconds before calculating avg.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
Service=MyApp source="C:\Logs\MyApp-Performance.log" process=Update| eval duration=strptime(timeElapsed,"%H:%M:%S.%6Q")-relative_time(now(),"@d") | stats avg(duration) as avgTimeElapsed
The field timeElapsed is string to need to convert it to seconds before calculating avg.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked a charm!
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can append an | stats avg(timeElapsed) to your search query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, sorry! Did't saw that the field is not properly converted for use with stats. But @somesoni2 got it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response.
This is one of the things I tried but I just get a message saying "No results found"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
