Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate avg of time values

neerajs_81
Builder
2 weeks ago

Hello All,  Below is my dataset from a base query. How can i calculate the average value of the column ?

Incidentavg_timedayshrsminutes
P11 hour, 29 minutes0.061810412045085321.483449889082047829.00699334492286
P21 hour, 18 minutes0.05428940107829018 1.302945625878964218.176737552737862


I need to display the average of the avg_time values. Since there is date/time involved, merely doing the below function is not working

stats avg(avg_time) as average_ttc_overall

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Builder
2 weeks ago

@neerajs_81 

You can use below for avg_mins and avg_hours.

| eval time_parts=split(avg_time, ", ")
| eval hours=tonumber(replace(mvindex(time_parts, 0), " hour[s]?", ""))
| eval minutes=tonumber(replace(mvindex(time_parts, 1), " minute[s]?", ""))
| eval total_minutes=(hours * 60) + minutes
| stats avg(total_minutes) as average_ttc_overall
| eval avg_hours=floor(average_ttc_overall / 60)
| eval avg_minutes=round(average_ttc_overall % 60)
| eval hour_avg=avg_hours . " hr " . avg_minutes . " mins" | table average_ttc_overall hour_avg


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

1. As @ITWhisperer noticed - you might be reinventing the wheel since probably the value comes from some earlier time-based data so there could be no need for rendering and parsing this value back and forth

2. Are you sure (you might be, just asking) that you want to calculate average of the averages? If the overall average is what you're seeking, an average of averages will not give you that.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

It looks like all these times are based on a common (other unshown) field. Perhaps it would be helpful it you shared more information about how these current fields are calculated as there may be a different calculation you can do to get you nearer to your desired result?

Reply
Solved! Jump to solution

PrewinThomas
Builder
2 weeks ago

@neerajs_81 

When it's formatted as strings like "1 hour, 29 minutes", you'll need to convert those time strings into a numeric format first(typically total minutes) before applying stats avg()

Eg:

| your_base_search
| eval time_parts=split(avg_time, ", ")
| eval hours=tonumber(replace(mvindex(time_parts, 0), " hour[s]?", ""))
| eval minutes=tonumber(replace(mvindex(time_parts, 1), " minute[s]?", ""))
| eval total_minutes=(hours * 60) + minutes
| stats avg(total_minutes) as average_min

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

neerajs_81
Builder
2 weeks ago

Thanks a lot. I got the average_min as per your query but now how do i convert / represent it back to hours minutes format ?

| stats avg(total_minutes) as average_min

  For example your query gave me the average_min= 112.9  . How do i convert this back to show as 1 hour, 8 minutes 

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Builder
2 weeks ago

@neerajs_81 

You can use below for avg_mins and avg_hours.

| eval time_parts=split(avg_time, ", ")
| eval hours=tonumber(replace(mvindex(time_parts, 0), " hour[s]?", ""))
| eval minutes=tonumber(replace(mvindex(time_parts, 1), " minute[s]?", ""))
| eval total_minutes=(hours * 60) + minutes
| stats avg(total_minutes) as average_ttc_overall
| eval avg_hours=floor(average_ttc_overall / 60)
| eval avg_minutes=round(average_ttc_overall % 60)
| eval hour_avg=avg_hours . " hr " . avg_minutes . " mins" | table average_ttc_overall hour_avg


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Try something like this

| eval average_min=tostring(average_min,"duration")
Reply
Solved! Jump to solution

neerajs_81
Builder
2 weeks ago

Thanks @ITWhisperer   Tried that as i found the same on your other posts. But this is what is displays the result as .  How to make it  show as 1h, 45 mins ?  More easily readable format in days, hours ,minutes.

neerajs_81_0-1753967157540.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Try something like this

| rex field=field_in_hhmmss "((?<days>\d+)\+)?((?<hours>\d+):)?((?<minutes>\d+):)?(?<seconds>[\d\.]+)"
| eval formatted=if(days > 0,days." days, ","").if(days > 0 OR hours > 0,hours." hours, ","").if(days > 0 OR hours > 0 OR minutes > 0,minutes." mins, ","").if(seconds > 0,seconds." secs","")
Reply
Solved! Jump to solution

neerajs_81
Builder
2 weeks ago

Thank you. Giving your karma points

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Whether you're managing complex deployments or looking to future-proof your data infrastructure, this session ...