Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate avg of time values

neerajs_81
Builder
‎07-31-2025 01:39 AM

Hello All,  Below is my dataset from a base query. How can i calculate the average value of the column ?

Incidentavg_timedayshrsminutes
P11 hour, 29 minutes0.061810412045085321.483449889082047829.00699334492286
P21 hour, 18 minutes0.05428940107829018 1.302945625878964218.176737552737862


I need to display the average of the avg_time values. Since there is date/time involved, merely doing the below function is not working

stats avg(avg_time) as average_ttc_overall

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎07-31-2025 09:10 PM

@neerajs_81 

You can use below for avg_mins and avg_hours.

| eval time_parts=split(avg_time, ", ")
| eval hours=tonumber(replace(mvindex(time_parts, 0), " hour[s]?", ""))
| eval minutes=tonumber(replace(mvindex(time_parts, 1), " minute[s]?", ""))
| eval total_minutes=(hours * 60) + minutes
| stats avg(total_minutes) as average_ttc_overall
| eval avg_hours=floor(average_ttc_overall / 60)
| eval avg_minutes=round(average_ttc_overall % 60)
| eval hour_avg=avg_hours . " hr " . avg_minutes . " mins" | table average_ttc_overall hour_avg


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2025 06:29 AM

1. As @ITWhisperer noticed - you might be reinventing the wheel since probably the value comes from some earlier time-based data so there could be no need for rendering and parsing this value back and forth

2. Are you sure (you might be, just asking) that you want to calculate average of the averages? If the overall average is what you're seeking, an average of averages will not give you that.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-31-2025 02:27 AM

It looks like all these times are based on a common (other unshown) field. Perhaps it would be helpful it you shared more information about how these current fields are calculated as there may be a different calculation you can do to get you nearer to your desired result?

Reply
Solved! Jump to solution

PrewinThomas
Motivator
‎07-31-2025 02:02 AM

@neerajs_81 

When it's formatted as strings like "1 hour, 29 minutes", you'll need to convert those time strings into a numeric format first(typically total minutes) before applying stats avg()

Eg:

| your_base_search
| eval time_parts=split(avg_time, ", ")
| eval hours=tonumber(replace(mvindex(time_parts, 0), " hour[s]?", ""))
| eval minutes=tonumber(replace(mvindex(time_parts, 1), " minute[s]?", ""))
| eval total_minutes=(hours * 60) + minutes
| stats avg(total_minutes) as average_min

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-31-2025 05:51 AM

Thanks a lot. I got the average_min as per your query but now how do i convert / represent it back to hours minutes format ?

| stats avg(total_minutes) as average_min

  For example your query gave me the average_min= 112.9  . How do i convert this back to show as 1 hour, 8 minutes 

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎07-31-2025 09:10 PM

@neerajs_81 

You can use below for avg_mins and avg_hours.

| eval time_parts=split(avg_time, ", ")
| eval hours=tonumber(replace(mvindex(time_parts, 0), " hour[s]?", ""))
| eval minutes=tonumber(replace(mvindex(time_parts, 1), " minute[s]?", ""))
| eval total_minutes=(hours * 60) + minutes
| stats avg(total_minutes) as average_ttc_overall
| eval avg_hours=floor(average_ttc_overall / 60)
| eval avg_minutes=round(average_ttc_overall % 60)
| eval hour_avg=avg_hours . " hr " . avg_minutes . " mins" | table average_ttc_overall hour_avg


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-31-2025 05:58 AM

Try something like this

| eval average_min=tostring(average_min,"duration")
Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-31-2025 06:06 AM

Thanks @ITWhisperer   Tried that as i found the same on your other posts. But this is what is displays the result as .  How to make it  show as 1h, 45 mins ?  More easily readable format in days, hours ,minutes.

neerajs_81_0-1753967157540.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-31-2025 07:09 AM

Try something like this

| rex field=field_in_hhmmss "((?<days>\d+)\+)?((?<hours>\d+):)?((?<minutes>\d+):)?(?<seconds>[\d\.]+)"
| eval formatted=if(days > 0,days." days, ","").if(days > 0 OR hours > 0,hours." hours, ","").if(days > 0 OR hours > 0 OR minutes > 0,minutes." mins, ","").if(seconds > 0,seconds." secs","")
Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-31-2025 10:32 PM

Thank you. Giving your karma points

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...