Re: Group time duration by minute

pranaynanda · ‎09-21-2017

I have a set of data where I run this query:

 base search| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(time*)| eval total_time=((time_complete-time_initial)/60)| timechart avg(total_time) AS "Average Time to Complete" by Module

where I would like to group the values of field total_time in groups of 0-2 / 3-5 / 6-10 / 11-20 / > 20 and show the count in a timechart.

Please help.

cmerriman · ‎09-21-2017

i think your best bet is to use an eval:

base search| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(time*)| eval total_time=((time_complete-time_initial)/60)| timechart avg(total_time) AS total_time_avg by Module|eval "Average Time to Complete"=case(total_time_avg<=120,"0-2",total_time_avg<=300,"3-5",total_time_avg<=600,"6-10",total_time_avg<=1200,"11-20",1=1,">20")|fields - total_time_avg

just understand that 3-5 is anything over 2 minutes up through 5 minutes, 6-10 is anything over 5 minutes up through 10 minutes, etc. though it can be adjusted accordingly.

pranaynanda · ‎09-21-2017

It does not solve. This is how it looks:

2017-08-27 >20 1.3433333333333333
2017-08-28 >20 0.9136054421768706
2017-08-29 >20 1.1056265984654732
2017-08-30 >20 1.1308823529411764

Every value out there is ">20"

cmerriman · ‎09-21-2017

sorry that was an oversight on my part. with using timechart, total_time_avg wouldn't be a column header, your Module values would be.

try this:

base search| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(time*)| eval total_time=((time_complete-time_initial)/60)| timechart avg(total_time) AS total_time_avg by Module|foreach * [eval <<FIELD>>=case('<<FIELD>>'<=120,"0-2",'<<FIELD>>'<=300,"3-5",'<<FIELD>>'<=600,"6-10",'<<FIELD>>'<=1200,"11-20",1=1,">20")]

pranaynanda · ‎09-21-2017

Sorry from my end too but there was a gap in description of the problem. I want to know the count of values that landed in these groups in a time frame. So if there's a trendline visualization, there should be 5 trendlines for each of these groups showing how many of these time averages landed in each group in that time frame.

cmerriman · ‎09-21-2017

alright, so that makes it more complicated. maybe something like this:

base search| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(time*) |bucket _time span=1d| eval total_time=((time_complete-time_initial)/60)|eventstats avg(total_time) as total_time_avg by _time Module|eval total_time_avg=case(total_time_avg<=120,"0-2",total_time_avg<=300,"3-5",total_time_avg<=600,"6-10",total_time_avg<=1200,"11-20",1=1,">20")| stats count by _time Module total_time_avg|eval {Module}=count|fields - Module count|stats values(*) as * by _time total_time_avg

pranaynanda · ‎09-21-2017

Thank you for your help. This solved my problem:

base search|convert timeformat="%Y-%m-%d %H:%M:%S" mktime(time*)|eval total_time=((time_complete-time_initial))|rename total_time as total_time_avg|eval "Average Time to Complete"=case(total_time_avg<=120,"0-2",total_time_avg<=300,"3-5",total_time_avg<=600,"6-10",total_time_avg<=1200,"11-20",1=1,">20")|fields - total_time_avg| timechart count by "Average Time to Complete"

I would convert this to an answer but I don't have the permissions.

pranaynanda · ‎09-26-2017

Someone please convert this comment to an answer!!!

Group time duration by minute

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation