Find average time duration in hh:mm

ajmanish · ‎05-03-2021

I am trying to find the average time duration in hh:mm from the data in one column. Below is the search query which gives me data as below and I want the average time duration in hh:mm like average time duration of a column is 01:22 or whatever the value is.

I tried looking for the same articles but nothing seem to work.
Any help would be greatly appreciated. Thank you

search month="Apr,2021" | stats count by "TotalTimeTaken (hh:MM)" |

"TotalTimeTaken (hh:MM)"
00:24
01:44
02:23
00:54

s2_splunk · ‎05-03-2021

This should get you started:

| makeresults 
| eval n="00:24 01:44 02:23 00:54" 
| makemv delim=" " n 
| mvexpand n 
| eval hhmm = substr("00:00:00",1,8-len(n)).n 
| convert dur2sec(hhmm) as seconds 
| stats avg(seconds) as avgsec 
| eval AvgDur = tostring(avgsec, "duration")

First four lines are generating test events from your example data. If you are fine with the average time in seconds, you can skip the last line.

Find average time duration in hh:mm

eval

fields

stats

timechart

tstats

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

Find average time duration in hh:mm

Can’t make it to .conf25? Join us online!