Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Average between 2 fields D+HH:MM:SS

Abarny
Path Finder
‎02-20-2017 07:24 AM

Hi,

I try to realize an average enter 2 fields which appear in the form of D+HH:MM:SS so i converted with dur2sec. But the result is 0 i don't understand why. Can you help me to find why ? Thanks you.

| convert dur2sec(AAAA)
| convert dur2sec(BBB)
|stats sum(AAA) as C sum(BBB) as D dc(E) as F
| eval temps=D-C | eval moyen= temps/F
| fields moyen

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2017 09:07 AM

Try this:

| eval duration=strptime(BBB,"%Y-%m-%d %H:%M:%S") - strptime(AAA,"%Y-%m-%d %H:%M:%S")
|stats savg(duration) AS moyen

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2017 09:07 AM

Try this:

| eval duration=strptime(BBB,"%Y-%m-%d %H:%M:%S") - strptime(AAA,"%Y-%m-%d %H:%M:%S")
|stats savg(duration) AS moyen
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2017 08:17 AM

What is field E? Counting a field that doesn't exist will make F=0

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-20-2017 08:22 AM

This field exist, E is an unique identifier on 1 event

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-20-2017 08:31 AM

Have you validated BBB and AAAA values are different or not?
Can you add few data samples?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-20-2017 08:37 AM

Yes they are différents exemple : AAA = 2017-02-18 11:53:05
BBB = 2017-02-18 11:53:14

But no i can't add data sample ..

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-20-2017 08:55 AM

You said that your field values are in format D+HH:MM:SS (string formatted duration) but the sample values above shows that they are timestmap, which one is it? If it's timestamp then your convert dur2sec will fail and return 0/null. If they are timestamp, then give this a try

...your base search
| eval duration=strptime(BBB,"%Y-%m-%d %H:%M:%S")-strptime(AAA,"%Y-%m-%d %H:%M:%S")
|stats sum(duration) as duration dc(E) as F
| eval moyen= duration/F
| fields moyen
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-20-2017 09:04 AM

Okay ! Thanks for your help !

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...