Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate avg task duration

snabi
Explorer
‎11-27-2014 08:43 AM

Thanks in advance...

- My server log contains the following

xxxxxxxx|xx -> Finished embeding fallback task 00:01:00.0004165

xxxxxxxx|xx -> Finished embeding fallback task 00:00:49.0004062

  • My goal is to calculate average time spent in seconds on these tasks over last couple hours

Out-put should look like : ** (AVG) embeding fallback duration 54.50041135**

SPLUNK query attempted : Not working......

"Finished embeding fallback task*" sourcetype="Doctrackr" index="staging2" | rex field=_raw "Finished embeding fallback task (?.\d+)" |eval duration=strptime(embeding_fallback_task_duration,"%H:%M:%S")| eval base=strptime("00:00:00.00","%H:%M:%S") | eval secs=duration-base | stats avg(duration) as "(AVG) embeding fallback duration"

Tags (4)
0 Karma
Reply

snabi
Explorer
‎11-27-2014 01:07 PM

Thank you.... found a fix

"Finished embeding fallback task*" sourcetype="Doctrackr" index="staging2" | rex field=_raw "Finished embeding fallback task (?.\d+):(?.\d+):(?.\d+).(?.\d+)" | eval embeding_fallback_task_duration = ((hours*60*60)+(minutes*60)+seconds+(subSeconds/1000000)) | stats avg(embeding_fallback_task_duration)

For...
Finished embeding fallback task 00:00:00.1918088
Finished embeding fallback task 00:00:00.1136647

Out put...
avg(embeding_fallback_task_duration)
0.152737

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 12:41 PM

Because your regex will only match the 00:00:00 hours:minute:seconds numbers and none of the .subsecond numbers

0 Karma
Reply

snabi
Explorer
‎11-27-2014 12:18 PM

This seems to be working...

"Finished embeding fallback task*" sourcetype="Doctrackr" index="staging2" | rex field=_raw "Finished embeding fallback task (?.\d+):(?.\d+):(?.\d+)" | eval embeding_fallback_task_duration = ((hours*60*60)+(minutes*60)+seconds) | timechart avg(embeding_fallback_task_duration)

But ..why my output shows 0.00000 ... for following logs?

Finished embeding fallback task 00:00:00.1284716
Finished embeding fallback task 00:00:00.1496968

Out-put i am getting...
avg(embeding_fallback_task_duration)
0.000000

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-27-2014 10:25 AM

Are your duarion and secs fields calculated correctly before the stats?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2014 09:35 AM

I think your stats avg(duration) should be stats avg(secs).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

snabi
Explorer
‎11-27-2014 10:12 AM

Thanks for the correction.....still not returning any output..

Finished embeding fallback task*" sourcetype="Doctrackr" index="staging2" | rex field=_raw "Finished embeding fallback task (?.d+)" |eval duration=strptime(embeding_fallback_task_duration,"%H:%M:%S")| eval base=strptime("00:00:00.00","%H:%M:%S") | eval secs=duration-base | stats avg(secs) as "(AVG) embeding fallback duration"

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...