Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How Can I use Stats Avg() On a Datetime Field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One method could be to use the convert command to change the field from a duration into to seconds, then average with some form of stats, and if necessary use the tostring function in an eval to change back to duration format.
... | convert dur2sec(field) | stats avg(field) as field | eval field=tostring(round(field),"duration")
Now with any solution there are some assumptions of your data, with this convert method, it assumes that
- No fractional seconds are present e.g. "01:02:03.456" would not work
- Days are specified as "D+" e.g. "1+0:0:1" will work but "1:0:0:1" will not
- Hours and minutes respect their respective moduli (0-23 hours, 0-59 minutes)
If your data doesn't conform to this, then you could craft your own regular expression and use rex command to pull out the pieces and use an eval to combine into seconds:
... | rex field=field "^(?<dur_h>\d+):(?<dur_m>\d+):(?<dur_s>\d+(?:\.\d+)?)$" | eval dur = (dur_h*60 + dur_m)*60 + dur_s | stats avg(dur) as field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One method could be to use the convert command to change the field from a duration into to seconds, then average with some form of stats, and if necessary use the tostring function in an eval to change back to duration format.
... | convert dur2sec(field) | stats avg(field) as field | eval field=tostring(round(field),"duration")
Now with any solution there are some assumptions of your data, with this convert method, it assumes that
- No fractional seconds are present e.g. "01:02:03.456" would not work
- Days are specified as "D+" e.g. "1+0:0:1" will work but "1:0:0:1" will not
- Hours and minutes respect their respective moduli (0-23 hours, 0-59 minutes)
If your data doesn't conform to this, then you could craft your own regular expression and use rex command to pull out the pieces and use an eval to combine into seconds:
... | rex field=field "^(?<dur_h>\d+):(?<dur_m>\d+):(?<dur_s>\d+(?:\.\d+)?)$" | eval dur = (dur_h*60 + dur_m)*60 + dur_s | stats avg(dur) as field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @acharlieh ♦ !
Worked perfectly!
Just tryin' now to get the difference from the last head 1 event duration to the average duration.
With the average and the last event I shall get the deviation to generate a red, yellow or green status.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May be do an eval and convert them to total seconds into a new field.. and do average on the new field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What function could I use to convert em with an eval? I mean, I dont have the full date...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Splunk App Dev Community Updates – What’s New and What’s Next
The Latest Cisco Integrations With Splunk Platform!
