Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How Can I use Stats Avg() On a Datetime Field?

vtsguerrero
Contributor
‎07-26-2015 08:49 AM

I have this indexed field which is read by splunk as a string, I need the average length, but the data has no Day, month or year, just time.

Example data :
03:20:15
02:45:07
03:12:00
04:05:23

How do I convert these so Splunk can get the average??

Thanks in advance!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎07-26-2015 11:38 AM

One method could be to use the convert command to change the field from a duration into to seconds, then average with some form of stats, and if necessary use the tostring function in an eval to change back to duration format.

... | convert dur2sec(field) | stats avg(field) as field | eval field=tostring(round(field),"duration")

Now with any solution there are some assumptions of your data, with this convert method, it assumes that

  • No fractional seconds are present e.g. "01:02:03.456" would not work
  • Days are specified as "D+" e.g. "1+0:0:1" will work but "1:0:0:1" will not
  • Hours and minutes respect their respective moduli (0-23 hours, 0-59 minutes)

If your data doesn't conform to this, then you could craft your own regular expression and use rex command to pull out the pieces and use an eval to combine into seconds:

... | rex field=field "^(?<dur_h>\d+):(?<dur_m>\d+):(?<dur_s>\d+(?:\.\d+)?)$" | eval dur = (dur_h*60 + dur_m)*60 + dur_s | stats avg(dur) as field

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎07-26-2015 11:38 AM

One method could be to use the convert command to change the field from a duration into to seconds, then average with some form of stats, and if necessary use the tostring function in an eval to change back to duration format.

... | convert dur2sec(field) | stats avg(field) as field | eval field=tostring(round(field),"duration")

Now with any solution there are some assumptions of your data, with this convert method, it assumes that

  • No fractional seconds are present e.g. "01:02:03.456" would not work
  • Days are specified as "D+" e.g. "1+0:0:1" will work but "1:0:0:1" will not
  • Hours and minutes respect their respective moduli (0-23 hours, 0-59 minutes)

If your data doesn't conform to this, then you could craft your own regular expression and use rex command to pull out the pieces and use an eval to combine into seconds:

... | rex field=field "^(?<dur_h>\d+):(?<dur_m>\d+):(?<dur_s>\d+(?:\.\d+)?)$" | eval dur = (dur_h*60 + dur_m)*60 + dur_s | stats avg(dur) as field
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎07-27-2015 06:24 AM

Thanks a lot @acharlieh ♦ !
Worked perfectly!
Just tryin' now to get the difference from the last head 1 event duration to the average duration.
With the average and the last event I shall get the deviation to generate a red, yellow or green status.
Thanks!

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-26-2015 09:26 AM

May be do an eval and convert them to total seconds into a new field.. and do average on the new field.

0 Karma
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎07-26-2015 10:30 AM

What function could I use to convert em with an eval? I mean, I dont have the full date...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...